CCNA 200-301 v2 (200-301) — Questions 175

1819 questions total · 25pages · All types, answers revealed

Page 1 of 25

Page 2
1
Multi-Selectmedium

Which TWO statements correctly describe interface errors and duplex mismatches on Cisco switches?

Select 2 answers
A.Runts are typically caused by CRC errors on the transmitting device.
B.Late collisions on a half-duplex interface can indicate a duplex mismatch with the connected device.
C.The 'show interfaces' command displays the number of CRC errors and runts on an interface.
D.Full-duplex interfaces use CSMA/CD to detect collisions before transmitting.
E.Auto-MDIX can resolve a duplex mismatch by renegotiating the speed and duplex settings.
AnswersB, C

Late collisions occur after the frame's first 512 bits have been transmitted, typically due to one side operating in full-duplex while the other is half-duplex.

Why this answer

Option B is correct because late collisions occur when a frame is transmitted onto the wire and collides after the first 512 bit-times of the frame. In a half-duplex Ethernet segment, a duplex mismatch causes the full-duplex side to never defer and transmit at any time, while the half-duplex side expects to detect collisions only during the collision window. When the full-duplex device sends a frame while the half-duplex device is already transmitting, the half-duplex device detects a collision after the 512-bit window, resulting in a late collision.

Exam trap

Cisco often tests the distinction between late collisions (which occur after the 64-byte window and indicate a duplex mismatch) and early collisions (which occur within the window and are normal in half-duplex), and candidates mistakenly think that all collisions are normal or that CRC errors are the primary cause of runts.

Why the other options are wrong

A

Runts result from collisions on half-duplex links or faulty network interface cards, not from CRC errors.

D

CSMA/CD is only used in half-duplex environments; full-duplex disables collision detection entirely.

E

Auto-MDIX does not participate in speed or duplex negotiation; that function is handled by auto-negotiation (IEEE 802.3u).

2
Multi-Selecteasy

A network engineer is reviewing REST API behavior. Which two statements are true?

Select 2 answers
A.GET is commonly used to retrieve information from an API
B.POST is commonly used to create a new resource
C.DELETE is used to encrypt a payload before transport
D.PUT always retrieves a list of resources
E.GET requires a token in every API design
AnswersA, B

GET is the standard read operation.

Why this answer

GET is used to retrieve data without changing server state, while POST commonly creates a new resource or submits data for processing. PUT is usually for full replacement, and DELETE removes a resource.

Exam trap

A common exam trap is misinterpreting the function of HTTP methods in REST APIs, such as believing DELETE encrypts data or PUT retrieves resource lists. DELETE actually removes resources, and PUT replaces or updates existing resources. Confusing POST and PUT is also frequent, where POST creates new resources while PUT replaces them.

These misunderstandings can lead to incorrect answers or automation scripts that cause unintended network changes. The exam expects precise knowledge of REST API method purposes, especially in Cisco automation contexts.

Why the other options are wrong

C

Incorrect because DELETE does not encrypt payloads; it removes resources from the server. Encryption is handled separately and not by HTTP methods themselves.

D

Incorrect because PUT does not retrieve lists of resources; it replaces or updates an existing resource. Retrieval is typically done by GET.

E

Incorrect because while many APIs require tokens for authentication, GET itself does not inherently require a token; authentication depends on API security design, not the HTTP method.

3
MCQmedium

An API client sends a valid GET request and receives an HTTP 200 response. What does that indicate?

A.The resource was deleted successfully
B.The request was successful
C.Authentication permanently failed
D.The server requires a reboot
AnswerB

Correct. HTTP 200 means the request succeeded.

Why this answer

HTTP 200 indicates a successful request. For a GET operation, it generally means the server successfully returned the requested resource representation.

Exam trap

A frequent exam trap is mistaking the HTTP 200 status code for indicating actions other than a successful GET request, such as resource deletion or authentication failure. Candidates might incorrectly associate 200 with deletion success, which is more accurately represented by 204 No Content. Others may confuse 200 with authentication errors, which are actually indicated by 401 Unauthorized or 403 Forbidden codes.

This confusion arises because candidates sometimes focus on the number 200 as a generic success without linking it specifically to the GET method’s successful retrieval. Understanding the precise meaning of HTTP codes in the context of REST API methods is essential to avoid this trap.

Why the other options are wrong

A

Option A is incorrect because HTTP 200 does not indicate resource deletion. Deletion success is usually represented by 204 No Content or 202 Accepted, not 200.

C

Option C is incorrect since authentication failures return 401 Unauthorized or 403 Forbidden, not 200. A 200 response confirms successful authentication and request processing.

D

Option D is incorrect because HTTP 200 does not signal any server reboot requirement. Server maintenance or reboot notifications are not conveyed via standard HTTP success codes.

4
MCQhard

An interface is configured with 10.24.7.158/27. What is the broadcast address of that subnet?

A.10.24.7.159
B.10.24.7.191
C.10.24.7.127
D.10.24.7.160
AnswerA

Correct. It is the last address in the /27 block.

Why this answer

A /27 uses blocks of 32 addresses. The block containing .158 is 10.24.7.128 through 10.24.7.159, so .159 is the broadcast address.

Exam trap

A frequent exam trap is mistaking the broadcast address for the network address of the next subnet or the last address of a different subnet block. For example, 10.24.7.160 is the network address of the next /27 subnet, not the broadcast address of the current subnet. Candidates often confuse the last usable host address with the broadcast address or select an address from an adjacent subnet block.

This mistake leads to incorrect subnetting answers and can cause interface misconfigurations in real networks, resulting in communication failures.

Why the other options are wrong

B

Incorrect. 10.24.7.191 is the last address of a larger /26 subnet block, not the /27 block containing 10.24.7.158, so it cannot be the broadcast address here.

C

Incorrect. 10.24.7.127 is the broadcast address of the previous /27 subnet block (10.24.7.96/27), not the one containing 10.24.7.158.

D

Incorrect. 10.24.7.160 is the network address of the next /27 subnet block after 10.24.7.128/27, not the broadcast address of the current subnet.

5
Multi-Selectmedium

Which three statements about the Spanning Tree Protocol (STP) are true? (Choose three.)

Select 3 answers
.STP uses Bridge Protocol Data Units (BPDUs) to exchange topology information.
.STP elects a root bridge based on the lowest bridge ID.
.STP places redundant ports in blocking state to prevent loops.
.STP always uses the highest port cost to select the root port.
.STP converges instantly after a topology change.
.STP is used to increase the number of broadcast domains.

Why this answer

All three statements are correct because STP relies on Bridge Protocol Data Units (BPDUs) to share topology information between switches, elects a root bridge by comparing bridge IDs (a combination of priority and MAC address, with the lowest value winning), and prevents loops by placing redundant ports into a blocking state (discarding state in Rapid PVST+). These are fundamental behaviors of the 802.1D Spanning Tree Protocol.

Exam trap

Cisco often tests the fact that STP does not use timers to elect the root bridge (it uses bridge ID comparison) and that blocking state is the mechanism for loop prevention, not disabling the port entirely or relying on TCN BPDUs alone.

6
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a switch access port, and then recover after a BPDU Guard error-disable event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order starts with global and interface configuration mode, then enabling PortFast, followed by BPDU Guard. After an error-disable event due to BPDU Guard, the proper manual recovery is to first issue the 'shutdown' command on the interface, then issue the 'no shutdown' command; simply using 'no shutdown' alone will not clear the errdisable state.

Exam trap

Remember that PortFast must be configured before BPDU Guard on an interface. Also, after an error-disable event due to BPDU Guard, the default recovery is manual: you must issue both 'shutdown' and then 'no shutdown' on the interface, not just 'no shutdown'. Do not confuse global default commands with recovery steps.

7
PBQhard

You are connected to R1 via the console. An extended ACL named BLOCK_SMTP has been applied inbound on interface GigabitEthernet0/1, but users on the 192.168.10.0/24 network cannot send email to the SMTP server at 203.0.113.10. Additionally, the ACL is blocking all other traffic that should be permitted. Examine the running configuration and fix the ACL so that SMTP traffic (TCP port 25) from the 192.168.10.0/24 network to the SMTP server is permitted, and all other IP traffic is allowed.

Hints

  • The ACL is applied inbound on G0/1, so the source is the internal network.
  • The current ACL denies all SMTP traffic; you need to permit SMTP from the specific source network to the SMTP server before the deny.
  • Remember to remove the old ACL and create a new one with the correct order of entries.
A.permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 deny tcp any any eq 25 permit ip any any
B.permit tcp any any eq 25 deny tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any
C.deny tcp any any eq 25 permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any
D.permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any deny tcp any any eq 25
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_SMTP
ip access-list extended BLOCK_SMTP
permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25
deny tcp any any eq 25
permit ip any any
end

Why this answer

The correct answer is A. It permits SMTP from 192.168.10.0/24 to the SMTP server, then denies all other SMTP traffic, and finally permits all other IP traffic. Option B is wrong because it places a general permit for any SMTP before the specific deny, meaning all SMTP is permitted regardless of source/destination.

Option C is wrong because it denies all SMTP first, so the subsequent specific permit for the user network is never reached. Option D is wrong because the order permits the specific SMTP, then permits all IP traffic (including other SMTP), then denies SMTP—the permit ip any any before the deny makes the deny unreachable for all traffic, allowing all SMTP.

Exam trap

Remember that ACLs are processed sequentially; the first match wins. A common mistake is to place a general permit or deny before a specific statement, causing the specific statement to never be evaluated. Always order ACL entries from most specific to most general.

Why the other options are wrong

B

The order of ACL entries is crucial; the first match is applied. Here, the permit any any matches all SMTP before the deny can block the specific traffic.

C

The deny any any matches all SMTP, so the subsequent permit for the specific source/destination is never reached.

D

The permit ip any any matches all traffic, so the subsequent deny for SMTP is never applied.

8
Multi-Selectmedium

A router is configured as a DHCP server for VLAN 20. Clients on the VLAN can reach the default gateway, but they do not receive leases. Which two configuration issues on the router would directly prevent successful address assignment?

Select 2 answers
A.The excluded-address range removes the entire usable subnet
B.The DHCP pool is missing a dns-server statement
C.The subinterface lacks an ip helper-address
D.There are no available addresses left in the defined pool
AnswersA, D

Excluding 10.20.20.1 through 10.20.20.254 leaves nothing assignable for clients.

Why this answer

The router can serve DHCP locally without an ip helper-address. The real problem is that the excluded-address range consumes every usable host address, leaving the pool with no assignable leases.

Exam trap

A common exam trap is to incorrectly assume that missing optional DHCP parameters, such as the dns-server statement, or the absence of an ip helper-address on the subinterface, will prevent clients from receiving leases. Candidates may also overlook the impact of the excluded-address command consuming the entire subnet range, mistakenly thinking the router’s DHCP service is functioning correctly because clients can ping the gateway. The real issue is that no IP addresses remain available to assign, which is a subtle but critical configuration error that directly causes DHCP lease failures.

Why the other options are wrong

B

Incorrect because the dns-server statement is optional; its absence does not prevent the DHCP server from assigning IP addresses to clients.

C

Incorrect because the ip helper-address command is only necessary when forwarding DHCP requests across subnets, not when the router itself is the DHCP server on the VLAN.

9
MCQhard

A switchport is configured with sticky MAC learning and a maximum secure MAC value of 2. What is the main benefit of sticky learning in this situation?

A.It allows secure MAC addresses to be learned dynamically and used by port security.
B.It removes the maximum secure MAC limit automatically.
C.It converts the port into a trunk after two MAC addresses are learned.
D.It disables port security after the first reboot.
AnswerA

This is correct because sticky learning records observed MACs as secure addresses.

Why this answer

Sticky MAC learning allows the switch to learn secure MAC addresses dynamically and treat them as port-security entries without the administrator typing them manually. In plain language, it combines some of the convenience of automatic learning with the control of port security. If the configuration is later saved, those learned entries can become persistent.

This is a common CCNA port-security concept because it shows how sticky learning works with, not instead of, port security. The correct answer is the one focused on dynamic secure learning and convenience, not on disabling the maximum limit or turning the port into a trunk.

Exam trap

A frequent exam trap is to assume that sticky MAC learning disables the maximum secure MAC address limit or automatically converts the port into a trunk. Some candidates mistakenly believe sticky learning removes the configured maximum or disables port security after reboot. However, sticky learning only dynamically learns and locks MAC addresses up to the configured maximum and requires saving the configuration to persist.

Misunderstanding this can lead to selecting incorrect answers that imply sticky learning changes port behavior beyond dynamic secure MAC address learning.

Why the other options are wrong

B

This option is incorrect because sticky learning does not remove or disable the configured maximum secure MAC address limit; the limit remains enforced regardless of sticky learning.

C

This option is incorrect because sticky learning does not change the port type or convert it into a trunk; port mode remains unchanged and unrelated to sticky MAC learning.

D

This option is incorrect because sticky MAC addresses can persist if the configuration is saved, so port security is not disabled after a reboot; sticky learning supports persistence, not disabling.

10
MCQhard

A switchport is configured for 802.1X authentication. What is the usual role of the RADIUS server in that design?

A.It provides Layer 2 trunk negotiation for the supplicant.
B.It validates authentication credentials for the supplicant.
C.It replaces the need for DHCP on the access layer.
D.It generates ARP replies on behalf of the default gateway.
AnswerB

Correct. The RADIUS server performs centralized AAA decisions.

Why this answer

The switch acts as the authenticator and forwards authentication requests to the RADIUS server, which validates the user or device credentials.

Exam trap

A common exam trap is assuming the RADIUS server handles functions beyond authentication, such as DHCP IP address assignment or ARP gateway replies. Candidates might mistakenly believe that RADIUS negotiates switchport trunking or manages Layer 2 connectivity, which it does not. This confusion often arises because RADIUS is involved in network access control but does not replace other network services.

Misunderstanding these roles can lead to selecting incorrect options that describe unrelated network functions, causing errors in the exam.

Why the other options are wrong

A

Option A is incorrect because the RADIUS server does not handle Layer 2 trunk negotiation. Trunking is managed by protocols such as DTP or manual switchport configuration, not by the authentication server.

C

Option C is incorrect because DHCP is responsible for IP address assignment, not the RADIUS server. RADIUS focuses solely on authentication, authorization, and accounting functions.

D

Option D is incorrect because the RADIUS server does not generate ARP replies or perform any gateway functions. These tasks are handled by routers or Layer 3 devices in the network.

11
MCQhard

Refer to the exhibit. A network administrator is troubleshooting a trunk link between SW1 and SW2. The trunk on interface GigabitEthernet0/0 on SW1 is not passing traffic, and all VLANs are isolated. The administrator issues the command 'show interfaces GigabitEthernet0/0 trunk' on SW1. What is the most likely cause of the issue?

A.The native VLAN is mismatched between SW1 and SW2.
B.The interface is configured as an access port instead of a trunk.
C.The interface is administratively shut down.
D.The trunk encapsulation is set to ISL on SW1, but the peer switch only supports 802.1Q.
AnswerD

The Encapsulation column shows 'isl', and the Status is 'not-trunking'. This confirms that SW1 is using ISL, which is incompatible with the peer's 802.1Q-only support, preventing trunk establishment.

Why this answer

The 'show interfaces GigabitEthernet0/0 trunk' output explicitly displays encapsulation 'isl' and status 'not-trunking'. This indicates that the port is configured for ISL encapsulation, but the trunk is not operational. Since the peer switch only supports 802.1Q, the encapsulation mismatch prevents the trunk from forming, causing the traffic isolation.

Exam trap

Option A is commonly chosen because candidates often suspect a native VLAN mismatch when trunk issues arise. However, the exhibit shows the native VLAN is 1 (default) and does not indicate any mismatch; the real cause is the ISL encapsulation setting.

Why the other options are wrong

A

Native VLAN mismatches can cause traffic to leak between VLANs, but they do not prevent a trunk from becoming operational. The output clearly shows the encapsulation type as ISL, not a native VLAN problem.

B

Candidates might assume a misconfigured mode causes the issue, but the exhibit confirms the port is in trunk mode ('on' mode).

C

New learners might equate 'not-trunking' with a shutdown state, but 'admin down' is a distinct status. The port is operationally unable to trunk, not manually disabled.

12
Multi-Selectmedium

Which TWO statements correctly compare 802.11ac and 802.11ax features?

Select 2 answers
A.802.11ax uses OFDMA, while 802.11ac uses OFDM.
B.Both 802.11ac and 802.11ax support 1024-QAM modulation.
C.WPA3 is mandatory for 802.11ax and optional for 802.11ac.
D.Both standards use only the 5 GHz band.
E.802.11ac uses 80 MHz channels, while 802.11ax uses 160 MHz channels exclusively.
AnswersA, C

OFDMA allows multiple users to share subcarriers simultaneously, improving efficiency in dense environments.

Why this answer

Option A is correct because 802.11ax (Wi‑Fi 6) introduces Orthogonal Frequency Division Multiple Access (OFDMA), which allows multiple users to share subcarriers simultaneously, improving efficiency in dense environments. In contrast, 802.11ac (Wi‑Fi 5) uses Orthogonal Frequency Division Multiplexing (OFDM), where each transmission occupies the entire channel for a single user, leading to less efficient channel utilization. Option C is correct: WPA3 is mandatory for Wi‑Fi 6 (802.11ax) certification, while for 802.11ac it is optional—devices can still obtain Wi‑Fi 5 certification with WPA2 only.

Option B is incorrect because 802.11ac supports a maximum of 256‑QAM; 1024‑QAM is first introduced with 802.11ax. Option D is wrong: 802.11ac operates exclusively in the 5 GHz band, but 802.11ax operates in both 2.4 GHz and 5 GHz. Option E is false: both standards support 20, 40, 80, and 160 MHz channel widths; 802.11ac does not exclusively use 80 MHz, and 802.11ax does not use 160 MHz exclusively.

Exam trap

Cisco often tests the misconception that higher QAM values (like 1024-QAM) are backward-compatible across Wi-Fi generations, but 802.11ac is limited to 256-QAM, and 802.11ax is the first to support 1024-QAM.

Why the other options are wrong

B

802.11ac supports only up to 256‑QAM; 1024‑QAM is introduced with 802.11ax.

D

802.11ac operates only in the 5 GHz band, but 802.11ax operates in both 2.4 GHz and 5 GHz.

E

Both 802.11ac and 802.11ax support a range of channel widths, including 20, 40, 80, and 160 MHz; neither standard restricts to a single channel width.

13
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure single-area OSPFv2 on a router and verify the neighbor state transitions from Down to Full.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After configuring OSPF, clearing the process triggers neighbor state transitions from Down to Full, which can then be verified with the neighbor command.

Note: Clearing the OSPF process is a disruptive action that resets all adjacencies. In production, use 'clear ip ospf process' only when necessary. For normal configuration verification, 'show ip ospf neighbor' is sufficient without clearing.

Note: Clearing the OSPF process is a disruptive action that resets all adjacencies. In production, use 'clear ip ospf process' only when necessary. For normal configuration verification, 'show ip ospf neighbor' is sufficient without clearing.

Exam trap

Do not confuse the order of enabling OSPF and configuring networks; router ospf must come first. Also, remember that clearing the OSPF process is necessary to trigger neighbor state transitions for verification purposes.

14
PBQhard

You are connected to R1. The network has two routers (R1, R2) and a switch (SW1) in between. R1's G0/0 connects to SW1 (192.168.1.1/24), SW1 connects to R2's G0/0 (192.168.1.2/24). R2 has a loopback (Lo0: 203.0.113.1/32) used as a management address. Configure an extended ACL on R1 so that only SSH (TCP/22) traffic from the 10.0.0.0/24 network is permitted to reach R2's loopback; all other traffic to that loopback must be denied. Then apply the ACL in the correct direction on the correct interface.

Hints

  • The source network is 10.0.0.0/24; use the correct wildcard mask.
  • The destination is a single host IP; use the 'host' keyword.
  • The ACL must be applied to the interface where traffic from 10.0.0.0/24 enters R1.
A.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any host 203.0.113.1 interface GigabitEthernet0/1 ip access-group 100 in
B.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any host 203.0.113.1 interface GigabitEthernet0/0 ip access-group 100 out
C.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 interface GigabitEthernet0/1 ip access-group 100 in
D.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any any interface GigabitEthernet0/1 ip access-group 100 in
AnswerA
solution
! R1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
 permit ip any any
interface gigabitEthernet 0/1
ip access-group 100 in

Why this answer

The current configuration has no ACL restricting traffic to R2's loopback. The candidate must create an extended ACL that permits TCP from 10.0.0.0/24 to host 203.0.113.1 eq 22, then deny all other IP traffic to that host. The ACL must be applied inbound on R1's G0/1 (facing the 10.0.0.0/24 network) to filter traffic before it enters R1.

Applying outbound on G0/0 would also work, but inbound on G0/1 is more efficient and typical. The implicit deny at the end of the ACL blocks all other traffic to the loopback.

Exam trap

Be careful with ACL placement: inbound on the source-facing interface is more efficient and standard. Also, remember that extended ACLs should be placed as close to the source as possible. Do not rely solely on the implicit deny; explicit denies are often required in exam answers.

Avoid using overly broad deny statements that affect more traffic than intended.

Why the other options are wrong

B

The ACL is applied outbound on G0/0 instead of inbound on G0/1. Although it may achieve the goal, it is not the most efficient placement and may not be the expected answer in a PBQ.

C

Missing the explicit deny statement. The implicit deny at the end of the ACL will block other traffic, but the question expects an explicit deny for clarity and completeness.

D

The deny statement is too broad; it denies all IP traffic, not just traffic to the loopback. The correct deny should be specific to the loopback host.

15
Matchingmedium

Match each API or programmability term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management or policy platform

Application-facing interface to the controller

Structured data format commonly used in API payloads

Credential-like value used to help control API access

Why these pairings

The 'Controller' is a centralized platform that manages network devices and enforces policies. The 'Northbound API' provides an interface for applications and users to interact with the controller. 'JSON' is a lightweight, structured data format commonly used to exchange data in API payloads. A 'Token' is a credential-like value used to authenticate and authorize API requests, ensuring secure access to the controller.

Exam trap

Learners often confuse 'Northbound API' with 'Southbound API' (controller-to-device interface). Focus on direction: Northbound faces applications, Southbound faces network devices.

16
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IPv4 default static route with a floating backup route on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order is: 1. Enter privileged EXEC mode using the enable command, because you must be in privileged mode to enter global configuration. 2. Enter global configuration mode with configure terminal, as static routes are configured in global configuration. 3.

Configure the primary default route using ip route 0.0.0.0 0.0.0.0 <next-hop> with default administrative distance (1), establishing the primary path. 4. Configure the floating backup route using ip route 0.0.0.0 0.0.0.0 <backup-next-hop> <higher-AD> (e.g., 10), so it is less preferred. 5. Exit global configuration mode using end to return to privileged EXEC. 6.

Save the configuration with copy running-config startup-config to ensure the routes persist after a reboot.

17
Matchingmedium

Drag and drop the 802.11 standards on the left to their correct frequency band and maximum throughput on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2.4 GHz, 11 Mbps

5 GHz, 54 Mbps

2.4 GHz, 54 Mbps

2.4/5 GHz, 600 Mbps

5 GHz, 6.9 Gbps

Why these pairings

Each 802.11 standard operates in specific frequency bands and has a maximum theoretical throughput. 802.11a uses 5 GHz at 54 Mbps, 802.11b uses 2.4 GHz at 11 Mbps, 802.11g uses 2.4 GHz at 54 Mbps, 802.11n uses both 2.4 and 5 GHz up to 600 Mbps, 802.11ac uses 5 GHz up to 6.9 Gbps, and 802.11ax uses 2.4, 5, and 6 GHz up to 9.6 Gbps.

Exam trap

A common trap is confusing 802.11a with 802.11g because both have 54 Mbps throughput, but they operate in different frequency bands. Remember that 802.11a uses 5 GHz exclusively, while 802.11g uses 2.4 GHz.

18
Matchingmedium

Drag and drop the AI/ML concepts on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifies deviations from normal network behavior, such as unusual traffic spikes or security threats.

Uses historical data and ML models to forecast future network events, like congestion or device failures.

Translates business intents into network policies and continuously verifies that the network meets those intents.

Trains a model using labeled data to classify or predict outcomes, such as identifying specific types of traffic.

Discovers hidden patterns or clusters in unlabeled data, often used for anomaly detection or traffic profiling.

Optimizes network decisions through trial and error, using rewards to learn optimal actions over time.

Why these pairings

Supervised learning uses labeled data, unsupervised finds hidden patterns, reinforcement learning uses rewards, neural networks mimic brain structure, training data is for learning, and inference is applying the model to new data.

Exam trap

The trap is that candidates may confuse the definitions of supervised learning, unsupervised learning, reinforcement learning, and neural networks. Remember: supervised = labeled data, unsupervised = unlabeled patterns, reinforcement = rewards, neural networks = brain-inspired architecture. Focus on the key differentiator: the presence or absence of labels.

19
MCQhard

Based on the exhibit, which route will be used for destination 10.1.1.70?

A.The static route to 10.1.1.64/26
B.The OSPF route to 10.1.1.0/24
C.The OSPF route to 10.1.0.0/16
D.The default route
AnswerA

This is correct because 10.1.1.70 matches the more specific /26 route.

Why this answer

The route used will be the one with the longest matching prefix. In practical terms, 10.1.1.70 falls inside 10.1.1.64/26, and that prefix is more specific than both 10.1.1.0/24 and 10.1.0.0/16. Route selection begins with specificity, so the /26 route wins regardless of the broader alternatives.

This is a clean simulation-style routing-table interpretation question and very close to real exam thinking.

Exam trap

A frequent exam trap is to incorrectly assume that dynamic routing protocols like OSPF always override static routes or that administrative distance alone determines the chosen route. Candidates might see multiple routes to the destination and pick the OSPF route with a broader subnet mask, ignoring that the static route has a longer prefix match. This mistake overlooks the fundamental Cisco routing rule that longest prefix match takes precedence over administrative distance when multiple routes exist.

Misreading subnet masks or ignoring prefix specificity leads to selecting less optimal or incorrect routes in the exam scenario.

Why the other options are wrong

B

Option B is incorrect because the OSPF route to 10.1.1.0/24 is less specific than the /26 static route. Even though OSPF is a dynamic protocol, the router prefers the more specific static route.

C

Option C is incorrect since the OSPF route to 10.1.0.0/16 covers a much larger network and is less specific than both the /24 and /26 routes, so it is not chosen for 10.1.1.70.

D

Option D is incorrect because the default route is only used when no other more specific route matches the destination. Here, the /26 static route is more specific, so the default route is ignored.

20
MCQmedium

Port security is enabled with a maximum of 2 MAC addresses, but a third device connected through a small hub causes a violation. Which result is expected in restrict mode?

A.The port goes immediately to err-disabled state
B.Frames from the unknown MAC are dropped and the violation is counted
C.The switch learns the third MAC after 30 seconds automatically
D.STP blocks the port until the MAC table ages out
AnswerB

That is the purpose of restrict mode.

Why this answer

In restrict mode, the switch drops frames from unknown source MAC addresses and increments the violation counter, but the port stays up. That is less disruptive than shutdown mode.

Exam trap

Be careful not to confuse restrict mode with shutdown mode, which disables the port entirely.

Why the other options are wrong

A

In restrict mode, the port does not go to err-disabled state; that behavior is specific to shutdown mode. Shutdown mode disables the port upon a violation, whereas restrict mode only drops traffic from unknown MACs and increments the violation counter.

C

Port security does not automatically learn additional MAC addresses after a delay; it strictly enforces the configured maximum number of MAC addresses. If the maximum is set to 2, any new MAC address beyond that triggers a violation action (restrict, shutdown, or protect) immediately, not after 30 seconds.

D

STP (Spanning Tree Protocol) is used to prevent loops in redundant topologies and does not enforce port security. Port security violations are handled by the port security feature itself, independent of STP. STP blocking a port would be unrelated to MAC address limits.

21
MCQhard

Refer to the exhibit. A network administrator configures NAT overload on R1 to allow internal hosts in the 10.1.1.0/24 subnet to access the Internet. After the configuration, the administrator runs the show ip nat translations verbose command and notices that several internal sessions all appear to use the same inside global port 1024. The administrator is concerned that port conflicts will occur. Based on the output, which statement is correct?

A.The NAT configuration is missing the overload keyword, causing all internal hosts to share a single source port.
B.The static NAT entry mapping 203.0.113.5 to the entire 10.1.1.0/24 subnet forces all subordinate translations to use the same port 1024.
C.The dynamic NAT pool is exhausted, forcing the router to reuse port 1024 for all new sessions.
D.The translations are extended entries, so the combination of inside global IP, outside global IP, and port ensures each session is unique, even though the inside global port is the same.
AnswerD

Each table entry carries the 'extended' flag, which means the translation includes the destination address and port. This allows the same inside global port 1024 to be used simultaneously for different destinations (198.51.100.10:53, 203.0.113.100:443, 203.0.113.200:22). The five‑tuple still uniquely identifies the session, so port conflicts do not occur.

Why this answer

The exhibit shows four dynamic NAT translations, each marked with the 'extended' flag. In extended PAT, the translation table includes the destination IP address and port (the Outside global field). Even though all entries share the same inside global port 1024, each translation has a different Outside global pair (198.51.100.10:53 for UDP, 203.0.113.100:443 and 203.0.113.200:22 for TCP).

Therefore, the five‑tuple (protocol, inside global IP, inside global port, outside global IP, outside global port) remains unique for each session, and no port conflict exists. The 'extended' flag explicitly confirms that the router is using this extended matching logic to allow port reuse.

Exam trap

Option A is the most common trap because candidates often associate a single global port with a missing overload keyword. However, the presence of the 'extended' flag and the different outside destinations in the exhibit demonstrate that PAT overload is active and correctly implemented.

Why the other options are wrong

A

Candidates think that seeing the same global port means overload is not operating, but port reuse is normal in extended PAT.

B

Candidates may misinterpret the summary line as a static identity NAT rule that locks all translations to a single port.

C

Candidates confuse pool exhaustion (no free global addresses) with port reuse. Exhaustion typically manifests as translation failures, not as many entries sharing the same port.

22
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's GigabitEthernet0/0 and GigabitEthernet0/1 interfaces so that R1 can ping both R2's IPv4 address (203.0.113.2) and R2's IPv6 address (2001:db8:1::2). The current configuration has an incorrect subnet mask on G0/0, missing default gateway, and R1's G0/1 has a duplicate IPv4 address with R3. Also, use EUI-64 for IPv6 on G0/0 and static IPv6 assignment on G0/1. Ensure all issues are resolved and connectivity verified.

Network Topology
G0/0203.0.113.1/30G0/0203.0.113.2/30linkG0/1192.168.1.254/24G0/0192.168.1.1/24R2R1switchR3

Hints

  • Check the subnet mask on G0/0; it should match R2's /30.
  • G0/1's IPv4 address conflicts with R3; use an unused address like .254.
  • Enable IPv6 globally with 'ipv6 unicast-routing' before configuring interface IPv6 addresses.
A.Change G0/0 subnet mask to 255.255.255.252, add default gateway 203.0.113.2, change G0/1 IPv4 to 192.168.1.254, enable IPv6 routing, configure G0/0 with ipv6 address 2001:db8:1::/64 eui-64, and G0/1 with ipv6 address 2001:db8:2::1/64.
B.Change G0/0 subnet mask to 255.255.255.0, add default gateway 203.0.113.1, change G0/1 IPv4 to 192.168.1.254, enable IPv6 routing, configure G0/0 with ipv6 address 2001:db8:1::1/64, and G0/1 with ipv6 address 2001:db8:2::1/64.
C.Change G0/0 subnet mask to 255.255.255.252, add default gateway 203.0.113.2, change G0/1 IPv4 to 192.168.1.1, enable IPv6 routing, configure G0/0 with ipv6 address 2001:db8:1::/64 eui-64, and G0/1 with ipv6 address 2001:db8:2::1/64.
D.Change G0/0 subnet mask to 255.255.255.252, add default gateway 203.0.113.2, change G0/1 IPv4 to 192.168.1.254, enable IPv6 routing, configure G0/0 with ipv6 address 2001:db8:1::1/64, and G0/1 with ipv6 address 2001:db8:2::/64 eui-64.
AnswerA
solution
! R1
configure terminal
interface gigabitethernet0/0
ip address 203.0.113.1 255.255.255.252
ipv6 address 2001:db8:1::/64 eui-64
exit
interface gigabitethernet0/1
ip address 192.168.1.254 255.255.255.0
ipv6 address 2001:db8:2::1/64
exit
ip route 0.0.0.0 0.0.0.0 203.0.113.2
end

Why this answer

The subnet mask on G0/0 was incorrectly set to /24 instead of /30. While a /24 mask on 203.0.113.1 would include 203.0.113.2 in the same subnet from R1's perspective, the mismatch with R2's /30 mask leads to inconsistent subnet definitions and potential ARP or routing issues. Additionally, no default gateway was configured, so traffic to remote networks would fail.

On G0/1, the IPv4 address 192.168.1.1 was already used by R3, causing a duplicate IP conflict. IPv6 was not configured on either interface. The fix involved correcting the subnet mask on G0/0 to 255.255.255.252, adding a default gateway (203.0.113.2), assigning a unique IPv4 address to G0/1 (192.168.1.254), enabling IPv6 routing globally with `ipv6 unicast-routing`, configuring EUI-64 on G0/0 (`ipv6 address 2001:db8:1::/64 eui-64`), and static IPv6 on G0/1 (`ipv6 address 2001:db8:2::1/64`).

Exam trap

Watch out for subnet mask mismatches (e.g., /24 vs /30) and duplicate IP addresses. Also, note the specific IPv6 addressing requirements: EUI-64 on one interface and static on the other. Don't assume a default gateway can be any IP in the subnet; it must be the neighbor's IP.

Why the other options are wrong

B

The subnet mask /24 is too large, causing a mismatch with R2's /30; the default gateway must be R2's IP (203.0.113.2); EUI-64 is not used on G0/0.

C

The duplicate IPv4 address on G0/1 is not resolved; it still uses 192.168.1.1 which is already assigned to R3.

D

EUI-64 is required on G0/0, not G0/1; static IPv6 is required on G0/1, not G0/0.

23
Matchingeasy

Match each common API or data term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defined software interface used for communication

Structured data format

Secure transport for the communication

Credential-like value used to help control access

Why these pairings

API (Application Programming Interface) is a defined set of rules that allows software components to communicate, matching 'Defined software interface used for communication.' JSON (JavaScript Object Notation) is a lightweight data-interchange format with key-value pairs, matching 'Structured data format.' HTTPS (Hypertext Transfer Protocol Secure) encrypts HTTP traffic using TLS/SSL, providing secure transport, matching 'Secure transport for the communication.' Token is a unique string used for authentication and authorization, matching 'Credential-like value used to help control access.'

Exam trap

The trap is that candidates often confuse specific API styles (REST, SOAP) or data formats (XML, YAML) with the general concept of an API. Remember that an API is the overarching interface; REST, SOAP, gRPC are specific types, and XML/YAML are data representation formats.

24
Multi-Selectmedium

An engineer wants rapid transition to forwarding on end-user switchports while still protecting the topology from accidental switch connections. Which two STP-related features fit that design?

Select 2 answers
A.PortFast on user-facing access ports
B.BPDU Guard on those same access ports
C.Root Guard on every user-facing port instead of PortFast
D.Loop Guard on hosts to accelerate DHCP
AnswersA, B

PortFast skips the usual listening/learning delay for edge endpoints.

Why this answer

PortFast improves the user experience on edge ports, and BPDU Guard keeps those ports from becoming unintended switch uplinks.

Exam trap

Beware of confusing STP features that secure or optimize ports with those that manage root bridge roles or loop prevention.

Why the other options are wrong

C

Root Guard is designed to prevent a port from becoming a root port, not to accelerate forwarding. It does not skip the STP listening/learning states, so it cannot provide rapid transition for end-user ports.

D

Loop Guard is used to prevent alternate or root ports from transitioning to forwarding in the absence of BPDUs, which helps avoid loops. It has no effect on host startup or DHCP acceleration.

25
PBQhard

You are connected to R1 via console. R1 and R2 are directly connected via their GigabitEthernet0/0 interfaces. Configure OSPFv3 for IPv6 on both routers so that the loopback0 interface on R2 (with IPv6 address 2001:db8:acad:2::1/64) is reachable from R1. Enable IPv6 unicast routing, enable OSPFv3 on the appropriate interfaces, and verify the neighbor adjacency and routing table. (Note: R2 already has OSPFv3 configured and is waiting for R1 to complete its configuration.)

Hints

  • OSPFv3 uses a separate process from OSPFv2; you must create the OSPFv3 process with 'ipv6 router ospf <process-id>'.
  • The router-id must be configured manually (e.g., 1.1.1.1) because there are no IPv4 addresses on R1.
  • OSPFv3 is enabled on an interface using 'ipv6 ospf <process-id> area <area-id>'.
A.Enable IPv6 unicast routing, configure OSPFv3 process with router-id, enable OSPFv3 on GigabitEthernet0/0 in area 0, and verify neighbor and route.
B.Enable IPv6 unicast routing, configure OSPFv2 process with router-id, enable OSPFv2 on GigabitEthernet0/0 in area 0, and verify neighbor and route.
C.Enable IPv6 unicast routing, configure OSPFv3 process without a router-id, enable OSPFv3 on GigabitEthernet0/0 in area 0, and verify neighbor and route.
D.Enable IPv6 unicast routing, configure OSPFv3 process with router-id, enable OSPFv3 on GigabitEthernet0/0 in area 0, but do not verify neighbor or route.
AnswerA
solution
! R1
ipv6 unicast-routing
ipv6 router ospf 1
router-id 1.1.1.1
exit
interface gigabitethernet0/0
ipv6 ospf 1 area 0
end

Why this answer

The issue is that OSPFv3 process is not enabled on R1. To fix, first ensure IPv6 unicast routing is enabled (already done). Then configure OSPFv3 routing process with a process ID (e.g., 1) and router-id using the `ipv6 router ospf 1` command and `router-id` command.

Then enable OSPFv3 on the GigabitEthernet0/0 interface with `ipv6 ospf 1 area 0`. Finally, verify with `show ospfv3 neighbor` to see R2's router ID (e.g., 2.2.2.2) and `show ipv6 route ospf` to see the route to 2001:db8:acad:2::/64.

Exam trap

A common trap is confusing OSPFv2 and OSPFv3. Remember that OSPFv3 is for IPv6 and requires a router-id. Also, do not skip verification steps; they are often required in exam scenarios.

Why the other options are wrong

B

OSPFv2 supports only IPv4; OSPFv3 is required for IPv6 routing.

C

OSPFv3 uses a 32-bit router-id, which must be manually configured or derived from an IPv4 address; without it, the process cannot operate.

D

Verification commands like 'show ospfv3 neighbor' and 'show ipv6 route ospf' are necessary to ensure OSPFv3 is functioning correctly.

26
Multi-Selectmedium

Which TWO statements correctly describe the behavior of the passive-interface command in single-area OSPFv2?

Select 2 answers
A.It prevents the router from sending Hello packets on the specified interface.
B.It prevents the router from advertising the network in OSPF LSAs.
C.The network associated with the passive interface is still advertised in OSPF LSAs.
D.It disables the interface for any OSPF traffic, including data traffic.
E.It removes the network from the OSPF routing table.
AnswersA, C

Passive-interface in OSPF suppresses Hello packets, preventing OSPF neighbor discovery.

Why this answer

The passive-interface command in OSPFv2 suppresses all OSPF protocol packets (Hello, DD, LSR, LSU, LSAck) on the specified interface, preventing neighbor adjacency formation. However, the network prefix of that interface is still included in the router LSA and advertised through active interfaces to the OSPF domain. Option A is correct because Hello packets are suppressed.

Option C is correct because the prefix is still advertised in LSAs. Option B is incorrect after rewording: it states that the network is not advertised, which is false. Option D is incorrect because passive-interface does not affect data traffic forwarding.

Option E is incorrect because the network remains in the OSPF routing table.

Exam trap

A common mistake is confusing passive-interface in OSPF with RIP or EIGRP; in OSPF, it suppresses all control packets on the interface, but the network is still advertised in LSAs via other interfaces.

Why the other options are wrong

B

This statement is false because passive-interface does not prevent the network from being advertised; the prefix is still injected into the OSPF LSAs.

D

Passive-interface only stops OSPF control packets; data traffic forwarding continues normally on the interface.

E

The passive-interface command does not remove the network from the OSPF routing table; the network is still reachable via other interfaces.

27
MCQhard

What prefix length corresponds to the subnet mask 255.255.255.224?

A./26
B./27
C./28
D./29
AnswerB

This is correct because 255.255.255.224 represents 27 network bits.

Why this answer

The subnet mask 255.255.255.224 corresponds to /27. In plain language, the first three octets contribute 24 network bits, and 224 in binary is 11100000, which contributes 3 more network bits. That gives a total of 27 network bits.

This is a common prefix-conversion question because it checks whether you can move between dotted-decimal masks and prefix lengths confidently.

Exam trap

Be cautious not to confuse the binary values of different subnet masks. Always convert the last octet to binary to determine the correct prefix length.

Why the other options are wrong

A

The /26 prefix corresponds to subnet mask 255.255.255.192, which has 64 addresses per subnet, not 32. The mask 255.255.255.224 has 27 network bits, not 26.

C

The /28 prefix corresponds to subnet mask 255.255.255.240, which provides 16 addresses per subnet (14 usable). The mask 255.255.255.224 has 32 addresses per subnet, so /28 is incorrect.

D

The /29 prefix corresponds to subnet mask 255.255.255.248, which provides 8 addresses per subnet (6 usable). The mask 255.255.255.224 has 32 addresses, so /29 is incorrect.

28
Multi-Selectmedium

Which two statements accurately describe default routes in a routed network?

Select 2 answers
A.A default route is used when no more specific route matches.
B.A default route is commonly represented as 0.0.0.0/0 in IPv4.
C.A default route is always preferred over connected routes.
D.A default route can exist only when dynamic routing is disabled.
E.A default route removes the need for route selection logic.
AnswersA, B

This is correct because that is the core purpose of a default route.

Why this answer

A default route is a fallback path used when no more specific route matches, which justifies option A. It is commonly represented as 0.0.0.0/0 in IPv4, so option B is also correct. Option C is incorrect because default routes are not always preferred over connected routes; connected routes are more specific (e.g., /24) and thus take precedence.

Option D is false because default routes can be statically configured or dynamically learned via routing protocols such as OSPF or EIGRP. Option E is incorrect because default routes do not eliminate the need for route selection logic; routers still perform longest prefix match, and default routes are only used when no more specific match exists.

Exam trap

A common exam trap is to incorrectly believe that a default route always takes precedence over other routes. Some candidates assume the default route is the primary path for all traffic, ignoring the longest prefix match rule. This misunderstanding leads to the false conclusion that connected or static routes are overridden by the default route.

In reality, the router always prefers the most specific route available, and the default route is only used when no other route matches. Misinterpreting this can cause incorrect answers about routing behavior and route preference in the exam.

Why the other options are wrong

C

Incorrect. Default routes are less preferred than connected or static routes because routers always choose the most specific route first based on longest prefix match.

D

Incorrect. Default routes can exist alongside dynamic routing protocols and do not require dynamic routing to be disabled; they complement dynamic routes as a last resort.

E

Incorrect. A default route does not remove the need for route selection logic; routers still evaluate all routes and prefer more specific matches before using the default.

29
Matchingmedium

Match each structured-data term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Named piece of structured data

Content assigned to a field

Group of related key-value pairs

Ordered list of items

Why these pairings

The terms are matched with their accurate descriptions in the context of structured data formats.

Exam trap

A common mistake is confusing an object (a collection of named fields) with an array (an ordered list of values), as both hold multiple items but structure them differently.

30
Matchingeasy

Match each automation or programmability term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central platform used to coordinate policy and management

Defined software interface for interaction between systems

Lightweight structured data format

Data modeling language for network information

Why these pairings

These terms are fundamental to network automation and programmability. API enables software interaction, REST is a common API style, JSON and YAML are data formats, Ansible is a popular automation tool, and Python is a scripting language for automation.

Exam trap

Be careful not to confuse tools with data formats or languages. For example, Ansible is a tool, not a data format; YAML is the format it uses. Similarly, REST is an architectural style, not a scripting language.

31
Multi-Selecthard

A router has learned route 172.16.50.0/24 from OSPF with cost 20 and also has a static route to the same prefix with administrative distance 5. Which two statements are correct about route selection?

Select 2 answers
A.The static route is installed because it has the lower administrative distance
B.The OSPF route is installed because cost 20 is lower than metric 0
C.If the static route is removed, OSPF can become the active route
D.Both routes are installed as equal-cost paths automatically
AnswersA, C

Administrative distance is compared before metric when routes come from different sources.

Why this answer

When the same prefix is learned from different routing sources, the router first compares administrative distance (AD). The static route with AD 5 wins over OSPF with AD 110, so option A is correct. Option C is correct because if the static route is removed, the OSPF route becomes the next best candidate and is installed.

Option B is wrong since AD is compared before metrics like OSPF cost; a lower cost does not override a lower AD. Option D is wrong because only one route is installed per destination based on AD, not both.

Exam trap

A common exam trap is to incorrectly assume that the OSPF route with a lower cost metric will be preferred over a static route. Many candidates mistakenly compare OSPF cost directly against the static route’s metric or ignore administrative distance entirely. This leads to the wrong conclusion that OSPF wins because 20 is less than 0 or some assumed static metric.

However, Cisco routers always compare administrative distance first when routes come from different sources. Ignoring this rule causes confusion and incorrect answers in routing questions involving multiple protocols.

Why the other options are wrong

B

Option B is incorrect because metrics like OSPF cost are only compared among routes from the same protocol; the router does not compare OSPF cost against static route administrative distance.

D

Option D is incorrect because routes from different sources with different administrative distances do not qualify for equal-cost multipath (ECMP), so both routes are not installed simultaneously.

32
MCQhard

A network technician is troubleshooting a newly installed fiber link between two Cisco Catalyst 9300 switches. The link is up, but the interface shows excessive CRC errors and input errors. The technician runs 'show interfaces' and 'show interfaces transceiver details' on the suspect interface. Based on the output, what is the most likely cause of the errors?

A.The interface is configured for full duplex but the switchport is set to auto-negotiation, causing a duplex mismatch.
B.The SFP transceiver is faulty because the transmit power is too low at -3.5 dBm.
C.The fiber cable is too long for the SX SFP, exceeding the distance limit.
D.The receive power is too low, likely due to a dirty or damaged fiber connector or excessive attenuation.
AnswerD

The receive power of -20.1 dBm is below the low threshold of -17.0 dBm, indicating a weak signal that causes CRC errors. This is often due to dirty connectors, damaged fiber, or excessive attenuation.

Why this answer

The output from 'show interfaces transceiver details' would show the receive power level. A receive power that is too low (e.g., below the receiver sensitivity threshold) indicates excessive signal loss, often due to dirty or damaged fiber connectors, poor splices, or excessive cable attenuation. This causes bit errors that manifest as CRC and input errors, even though the link is physically up.

Option D correctly identifies this as the most likely cause.

Exam trap

Cisco often tests the distinction between transmit power and receive power, trapping candidates who assume a low transmit power is the root cause, when in fact the receive power is the critical metric for signal integrity at the far end.

Why the other options are wrong

A

The interface shows Full Duplex and 1000 Mbps with no collisions or late collisions, which indicates no duplex mismatch. Duplex mismatch typically causes collisions and late collisions, which are absent here.

B

The transmit power of -3.5 dBm is within the normal range for SX SFP (-1.0 to -9.5 dBm), so the SFP is transmitting correctly. Low transmit power would not cause CRC errors if it is within specifications.

C

The SX SFP supports up to 550m on OM3 fiber, and the link is operational, so distance is not the issue. Excessive CRC errors due to distance would typically cause the link to be down or unstable.

33
Multi-Selectmedium

Which three of the following are functions of Network Address Translation (NAT) overload (PAT)? (Choose three.)

Select 3 answers
.It translates multiple private IP addresses to a single public IP address.
.It uses unique source port numbers to differentiate between internal sessions.
.It requires a pool of public IP addresses equal to the number of internal hosts.
.It can be configured with the 'ip nat inside source list' command referencing a standard ACL.
.It provides inbound-initiated connections to internal servers without static entries.
.It performs a one-to-one mapping between inside local and inside global addresses.

Why this answer

PAT (Port Address Translation), also known as NAT overload, allows multiple internal hosts to share a single public IP address by translating each session's source port to a unique port number. This enables the router to differentiate between concurrent sessions from different internal hosts, even though they all appear to originate from the same public IP. The correct options highlight the core functions: translating many private IPs to one public IP and using unique source port numbers for session differentiation.

Exam trap

Cisco often tests the misconception that PAT requires a pool of public IPs equal to the number of internal hosts, when in fact PAT's defining feature is the ability to map many internal hosts to a single public IP using port multiplexing.

34
Matchingmedium

Match each address-related concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indicates network versus host portions of an IPv4 address

Next-hop path used for off-subnet traffic

Address used to reach all hosts in the local broadcast domain

Address that identifies the subnet itself

Why these pairings

The subnet mask is used to distinguish the network portion from the host portion of an IPv4 address. The default gateway is the next-hop router that forwards traffic destined for off-subnet networks. The broadcast address sends packets to all hosts within the local broadcast domain, while the network address identifies the subnet itself and is the first address in the subnet range.

Exam trap

The exam often tests your ability to differentiate between IP addresses, MAC addresses, subnet masks, and default gateways. Be careful not to confuse the function of each, especially since they are all related to addressing and routing.

35
MCQhard

Based on the exhibit, why does the ACL still allow HTTPS traffic from the branch subnet to the server?

A.The ACL blocks TCP port 80 instead of TCP port 443.
B.HTTPS uses UDP port 443, so TCP matching can never work.
C.The ACL must deny all IP traffic to the server to stop HTTPS.
D.ACLs cannot filter by destination port when a host keyword is used.
AnswerA

This is correct because HTTPS normally uses TCP port 443, not port 80.

Why this answer

The ACL still allows the HTTPS traffic because the deny statement is matching TCP port 80, not TCP port 443. In practical terms, the entry blocks HTTP, not HTTPS. Since the requirement is specifically to block encrypted web traffic on TCP 443, the current line is aimed at the wrong service.

This is a good precision question because it tests whether the candidate pays attention to the exact destination port rather than just seeing a generic web-related deny.

Exam trap

A common exam trap is assuming that blocking TCP port 80 also blocks HTTPS traffic. Candidates may see a deny statement for port 80 and mistakenly conclude that all web traffic is blocked. However, HTTPS uses TCP port 443, so if the ACL does not explicitly deny port 443, HTTPS traffic will still be allowed.

This trap tests attention to detail and understanding of port assignments for common services. Overlooking the exact port number leads to incorrect conclusions about ACL effectiveness and network security.

Why the other options are wrong

B

Incorrect. HTTPS uses TCP, not UDP. Denying UDP port 443 would not block HTTPS traffic, so this option is factually wrong.

C

Incorrect. It is unnecessary to deny all IP traffic to block HTTPS. Targeting the specific TCP port 443 is sufficient and more secure practice.

D

Incorrect. ACLs can filter by destination port even when using the host keyword. Both host-based IP matching and port filtering are valid in extended ACLs.

36
Matchingmedium

Match each data-structure term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Field name

Content associated with a field

Group of key-value pairs

Ordered list of items

Why these pairings

These pairs correctly match data-structure terms to their definitions. Array uses indices, hash table uses key-value mapping, stack is LIFO, queue is FIFO, linked list uses nodes with references, and tree is hierarchical.

Exam trap

Do not confuse the properties of different data structures. Arrays are defined by indexed access, not by access patterns like LIFO or FIFO, which belong to stacks and queues respectively.

37
MCQhard

Based on the exhibit, what is the strongest next troubleshooting focus?

A.DNS or name-resolution configuration for the host or service
B.STP root bridge priority on the access switch
C.PPP encapsulation on the WAN edge
D.EtherChannel member consistency on the distribution switches
AnswerA

This is correct because the difference between IP success and hostname failure points directly to DNS-related troubleshooting.

Why this answer

The strongest next troubleshooting focus is DNS. In practical terms, the host can already reach the destination by IP address, which means switching, routing, and general Layer 3 connectivity are working for that path. The failure occurs only when the hostname is used, so the most likely remaining fault domain is name resolution rather than the data path itself.

This is a classic 'what do you check next' support question and very close to real-world helpdesk and network triage logic.

Exam trap

A frequent exam trap is to select options related to Layer 2 or WAN link issues, such as STP root bridge priority or PPP encapsulation, because candidates associate connectivity problems with these technologies. However, the question states that IP connectivity works, which means switching and routing are operational. Choosing these options wastes time and misses the core issue, which is DNS or name-resolution failure.

Candidates must carefully distinguish between IP connectivity and hostname resolution failures to avoid this common pitfall.

Why the other options are wrong

B

STP root bridge priority is irrelevant here because the network path to the IP address is already functional, meaning Layer 2 switching and spanning-tree topology are stable and not causing the failure.

C

PPP encapsulation on the WAN edge is not the cause since the symptom is specific to hostname resolution failure, and IP connectivity over the WAN is already confirmed as working.

D

EtherChannel member consistency issues would affect link aggregation and potentially cause connectivity failures, but since the client can reach the service by IP, EtherChannel problems are not the root cause.

38
MCQmedium

Why is version control valuable for network automation files?

A.It increases interface bandwidth
B.It tracks changes and allows rollback to earlier versions
C.It replaces the need for device backups
D.It guarantees that configuration changes are error free
AnswerB

Correct. Change tracking and rollback are major benefits.

Why this answer

Version control systems help teams track who changed what, compare revisions, and restore earlier states when needed. That improves operational discipline but does not guarantee correctness by itself.

Exam trap

A common exam trap is selecting the option that version control replaces device backups or guarantees error-free configurations. While version control tracks changes and allows rollback, it does not protect against hardware failures or accidental deletions like backups do. Additionally, version control cannot automatically detect or prevent configuration errors; it only records changes.

Candidates may confuse version control’s change tracking benefits with complete operational safety, but understanding that backups and validation processes remain essential is critical to avoid this mistake.

Why the other options are wrong

A

This option incorrectly claims version control increases interface bandwidth, which is unrelated to version control functionality. Bandwidth is a physical and configuration attribute unaffected by file management systems.

C

This option is incorrect because version control does not replace device backups. Backups protect device states and data beyond just file changes, which version control alone cannot ensure.

D

This option falsely asserts that version control guarantees error-free configuration changes. While it improves process discipline, it cannot prevent human errors or validate correctness automatically.

39
MCQmedium

Which spanning-tree port state listens for BPDUs and participates in STP, but does not learn MAC addresses yet?

A.Blocking
B.Listening
C.Learning
D.Forwarding
AnswerB

Correct. Listening occurs before learning and forwarding.

Why this answer

In the classic 802.1D sequence, the listening state processes BPDUs and prepares for forwarding decisions, but it does not populate the MAC address table yet.

Exam trap

Be careful not to confuse the listening state with learning, as both involve BPDU processing but differ in MAC address table updates.

Why the other options are wrong

A

In the blocking state, the port does not participate in STP actively; it only receives BPDUs but does not send them or transition toward forwarding. The question specifies a state that listens for BPDUs and participates in STP, which is the listening state, not blocking.

C

The learning state populates the MAC address table by learning source MAC addresses from incoming frames, which directly contradicts the question's requirement that the state does not learn MAC addresses. Learning occurs after listening and before forwarding.

D

The forwarding state both learns MAC addresses and forwards traffic, which violates the condition that the state does not learn MAC addresses. Forwarding is the final state where the port is fully operational.

40
Multi-Selectmedium

Which two statements accurately describe ACL behavior on Cisco devices?

Select 2 answers
A.ACL entries are processed from top to bottom until a match is found.
B.ACLs end with an implicit deny if unmatched traffic reaches the end.
C.ACLs always evaluate every line before deciding the action.
D.ACLs end with an implicit permit unless configured otherwise.
E.ACLs apply only to Layer 1 traffic and not IP packets.
AnswersA, B

This is correct because Cisco ACLs are evaluated sequentially and stop at the first match.

Why this answer

ACL questions often depend on understanding how Cisco devices process entries line by line. In plain language, ACL entries are evaluated from top to bottom, and the first matching statement decides the result. If traffic reaches the end without matching a permit, it is denied by the implicit deny. These two ideas explain many real ACL troubleshooting cases.

The wrong answers often sound plausible because they borrow language from other parts of networking. But ACLs do not normally evaluate all lines before choosing, and they do not end with an implicit permit. Once you remember “first match wins” and “implicit deny at the end,” many access-list questions become much easier.

Exam trap

A frequent exam trap is assuming that ACLs evaluate every line before deciding to permit or deny traffic. Candidates might think that if no explicit deny exists, traffic is allowed by default. However, Cisco ACLs stop processing at the first match, and if no match occurs, the implicit deny at the end blocks the traffic.

This misunderstanding can lead to incorrect answers about ACL behavior and cause misconfigurations in real networks. Remembering that ACLs use a “first match wins” approach and end with an implicit deny helps avoid this trap.

Why the other options are wrong

C

Incorrect because ACLs do not evaluate every line; they stop processing once a match is found, making this statement false.

D

Incorrect because Cisco ACLs do not end with an implicit permit; the default behavior is an implicit deny for unmatched traffic.

E

Incorrect because ACLs filter traffic at Layer 3 and Layer 4, not at Layer 1, so this statement is factually wrong.

41
MCQhard

A technician configures OSPF on R1 using the command network 10.0.0.0 0.0.0.255 area 0. R1's GigabitEthernet0/0 interface has IP address 10.0.0.1/30 and is included in the OSPF process. The technician confirms the interface is not passive using the show ip ospf interface GigabitEthernet0/0 command. However, R2 is not forming an OSPF adjacency with R1. What should the technician do next?

A.Check the OSPF hello and dead intervals on R1 and R2.
B.Verify the OSPF area ID configured on R2's interface.
C.Check whether R2's interface is configured as a passive interface.
D.Verify the subnet mask configured on R2's connecting interface.
AnswerD

OSPF on a broadcast network requires an exact subnet mask match; a mismatch will prevent neighbor relationships. Given that R1's interface is properly added to OSPF, is not passive, and is in the correct area, the most likely cause is a misconfigured subnet mask on R2. Checking this resolves a basic Layer 3 requirement before investigating any OSPF-specific parameters.

Why this answer

On broadcast multi-access networks like Ethernet, OSPF requires both neighbors to agree on the exact subnet mask; a mismatch causes the hello packets to be rejected. R1's interface is already confirmed to be in the correct area and not passive, so the next logical step is to check R2's interface configuration. Verifying the subnet mask on R2's connecting interface addresses a fundamental Layer 3 misconfiguration that would directly prevent adjacency formation, before investigating OSPF-specific parameters.

Exam trap

Many candidates jump to checking OSPF timer mismatches because hello/dead interval mismatches are a well-known cause of adjacency issues, but those are less common than simple subnet mask misconfigurations and should be investigated only after verifying basic IP addressing.

Why the other options are wrong

A

Skips the more likely and fundamental subnet mask check, which would render timer issues irrelevant until resolved.

B

Ignores the more foundational IP addressing check that could also cause the issue, and area troubleshooting would be misleading if the subnet mask is incorrect.

C

Jumps to an OSPF-specific command without first verifying the fundamental IP subnet configuration, which is a more direct cause of failed adjacencies on broadcast links.

42
MCQhard

Why would an orchestration platform prefer a northbound API over screen-scraping CLI output?

A.Because the northbound API provides a defined and structured interface intended for software interaction.
B.Because APIs use encryption by default while CLI sessions are unencrypted.
C.Because northbound APIs are designed for network-wide automation whereas screen-scraping only works on a single device.
D.Because CLI commands are more error-prone due to human typing mistakes.
AnswerA

This is correct because APIs are built for reliable programmatic use.

Why this answer

A northbound API is preferred because it is designed for software consumption. In practical terms, it provides a defined, structured, predictable interface that tools can interact with directly. Screen-scraping CLI output is much more fragile because CLI displays are primarily intended for human reading, not consistent machine parsing.

This is a practical architecture question. The API is the clean software interface. The CLI is useful for humans, but not usually the best primary interface for orchestration.

Exam trap

Avoid assuming that CLI output is suitable for automation just because it is human-readable.

Why the other options are wrong

B

Encryption is not the primary reason; CLI can use SSH and APIs are about structured interaction.

C

Screen-scraping can be automated network-wide; the key differentiator is the interface structure.

D

Human error is mitigated by automation itself, not a unique advantage of APIs.

43
Multi-Selectmedium

Which TWO statements are true about IPv6 link-local addresses?

Select 2 answers
A.They are automatically configured on all IPv6-enabled interfaces.
B.They are routable across the entire IPv6 internet.
C.They always use the EUI-64 format for the interface ID.
D.They are used as the default gateway address for IPv6 hosts.
E.They are identified by the prefix fe80::/10.
AnswersA, E

IPv6-enabled interfaces automatically generate a link-local address, even if no other IPv6 address is configured.

Why this answer

Option A is correct because IPv6 link-local addresses (fe80::/10) are automatically generated on every IPv6-enabled interface using Stateless Address Autoconfiguration (SLAAC) as defined in RFC 4862. This ensures that each interface has a unique local address for neighbor discovery and other link-local operations without requiring manual configuration or a DHCPv6 server.

Exam trap

Cisco often tests the misconception that link-local addresses are routable or that they always use EUI-64, when in fact they are strictly link-scoped and can use privacy extensions to randomize the interface ID.

Why the other options are wrong

B

Link-local addresses are not routable; they are confined to a single link or network segment. Routers will not forward packets with a link-local source or destination address beyond the local subnet.

C

While EUI-64 is one method for generating the interface ID, link-local addresses can also use randomly generated identifiers (privacy extensions) or be manually configured. The statement that they always use EUI-64 is incorrect.

D

The default gateway for IPv6 hosts is typically a global unicast or unique local address, not a link-local address. While routers may send Router Advertisements with a link-local source, the default gateway address learned by hosts is the router's link-local address, but the host uses that link-local address as the next-hop, not as the default gateway address itself. The statement is misleading because the default gateway is often the link-local address of the router, but the host uses it as the next-hop, not as a routable address.

44
MCQhard

A network administrator is troubleshooting a wireless connectivity issue in a large office. Users on the 5 GHz band report intermittent disconnections and slow performance, while 2.4 GHz clients are unaffected. The office uses a Cisco 9800 WLC with APs that support 802.11ac Wave 2. The administrator checks the WLC's RF profile and notices a high number of channel utilization reports on channel 36. What is the most likely cause of the problem?

A.Enable DFS channels to avoid radar interference.
B.Change some APs to use channels 40, 44, or 48 to reduce co-channel interference.
C.Increase the channel width to 160 MHz to improve throughput.
D.Disable the 2.4 GHz radios to force all clients to 5 GHz.
AnswerB

Co-channel interference occurs when multiple APs use the same frequency channel, causing contention. Changing some APs to non-overlapping channels reduces this.

Why this answer

Channel 36 is a 20 MHz channel in the 5 GHz band. When many APs use the same channel (channel 36), they share the same medium, leading to co-channel interference (CCI). This causes intermittent disconnections and slow performance for 5 GHz clients because they must contend for airtime.

Spreading APs across non-overlapping channels like 40, 44, or 48 reduces CCI and improves performance.

Exam trap

Cisco often tests the misconception that DFS channels are the solution for any 5 GHz interference issue, but the trap here is that high channel utilization on a non-DFS channel (36) indicates co-channel interference, not radar avoidance.

Why the other options are wrong

A

DFS channels are used to avoid radar interference, but the problem described is co-channel interference on channel 36, not radar events. The exhibit shows no radar events, so enabling DFS channels would not address the high channel utilization.

C

Increasing channel width to 160 MHz would actually increase the likelihood of co-channel interference because fewer non-overlapping channels are available, and it would not solve the existing high utilization on channel 36.

D

Disabling 2.4 GHz radios would force all clients to 5 GHz, potentially worsening the co-channel interference on channel 36 by adding more clients to an already congested channel. The 2.4 GHz band is not the source of the problem.

45
Multi-Selectmedium

Which two statements accurately describe JSON in network automation contexts?

Select 2 answers
A.It is a structured data format that software can parse reliably.
B.It is commonly used in API payloads exchanged by automation tools and controllers.
C.It is the encryption protocol that protects the API session.
D.It replaces the need for authentication.
E.It is the same thing as a southbound API.
AnswersA, B

This is correct because structured machine readability is one of JSON's main strengths.

Why this answer

JSON is widely used in network automation because it provides structured, machine-readable data. In practical terms, software can reliably identify keys, values, objects, and arrays without having to guess meaning from free-form text. That makes it a common format in modern APIs.

The important point is that JSON is a data format. It is not the API itself and it is not the secure transport that carries the data.

Exam trap

A frequent exam trap is mistaking JSON for a security or API protocol. Some candidates incorrectly believe JSON encrypts API sessions or replaces authentication, which is false. JSON is purely a data format used to structure information exchanged between automation tools and devices.

Confusing JSON with encryption protocols like TLS or authentication mechanisms can lead to selecting incorrect answers. Another trap is equating JSON with the API itself or the concept of a southbound API, which refers to the direction of communication, not the data format. Understanding JSON’s role as a structured data format prevents these mistakes.

Why the other options are wrong

C

Option C is incorrect because JSON is not an encryption protocol; it does not provide any security or protection for API sessions, which are handled by other protocols like TLS.

D

Option D is incorrect because JSON does not replace authentication; authentication is a separate process that controls access to APIs and network devices.

E

Option E is incorrect because JSON is a data format, not an API or directional interface like a southbound API, which refers to communication from controllers to devices.

46
MCQmedium

A network engineer sends an HTTP GET request to a controller API and receives status code 401. What does that response indicate?

A.The API endpoint does not exist
B.The request was successful but returned an empty body
C.Authentication is required or the token is invalid
D.The server is overloaded and cannot process the request
AnswerC

Correct choice.

Why this answer

HTTP 401 means the request is not authorized because valid authentication credentials were not supplied or were rejected. In practice, this usually means the token is missing, expired, malformed, or otherwise invalid.

Exam trap

Be careful not to confuse HTTP 401 with other common status codes like 200, 404, or 500. Each code has a specific meaning and context.

Why the other options are wrong

A

A 401 status code specifically indicates authentication failure, not a missing endpoint. A non-existent endpoint would return a 404 Not Found status code, which is a different HTTP error.

B

A successful request with an empty body would return a 204 No Content status code, not 401. The 401 code explicitly means the request was not processed due to missing or invalid authentication.

D

A server overload is indicated by a 503 Service Unavailable status code, not 401. The 401 code is solely related to authentication issues, not server capacity.

47
Drag & Dropmedium

Drag and drop the following steps into the correct order to implement DHCP services for clients in VLAN 10 using a centralized DHCP server in VLAN 20 and to protect the network with DHCP snooping.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order requires the DHCP server to be configured first so it can respond to requests. Then the IP helper-address is configured on the default gateway interface for VLAN 10 to forward client broadcasts to the server. Next, DHCP snooping is enabled globally, followed by identifying the trusted port to the server (to allow DHCP replies), and then snooping is enabled on the client VLAN.

Finally, a client connection triggers a DHCP transaction that you can verify with the snooping binding table.

48
Multi-Selectmedium

Which two statements accurately compare TCP and UDP? (Choose two.)

Select 2 answers
A.TCP provides connection-oriented transport
B.UDP guarantees delivery through acknowledgments
C.UDP has lower overhead than TCP
D.TCP does not use port numbers
E.UDP is always faster because it avoids congestion
AnswersA, C

Correct. TCP is a connection-oriented transport protocol.

Why this answer

TCP is connection-oriented and uses sequencing, acknowledgments, and related controls. UDP is simpler and has lower overhead, but it does not guarantee delivery.

Exam trap

Be careful not to confuse the connection-oriented nature of TCP with UDP's connectionless design. Remember that TCP is about reliability, while UDP focuses on speed and simplicity.

Why the other options are wrong

B

UDP is a connectionless protocol that does not use acknowledgments, sequence numbers, or retransmissions; it simply sends datagrams without any guarantee of delivery. Reliable delivery mechanisms like acknowledgments are a feature of TCP, not UDP.

D

TCP uses port numbers extensively to identify source and destination applications, just like UDP. Port numbers are a fundamental part of both TCP and UDP headers, enabling multiplexing of multiple services on a single host.

E

While UDP has lower overhead and can be faster in some scenarios, it is not 'always faster' because network congestion, packet loss, and application behavior can affect performance. Additionally, UDP does not inherently avoid congestion; it simply does not implement congestion control, which can lead to network congestion if used aggressively.

49
MCQhard

An engineer configures 802.1X port-based authentication on a Cisco IOS-XE switch for a voice VLAN deployment. After applying the configuration, IP phones on interface GigabitEthernet1/0/1 fail to receive a voice VLAN and remain in an unauthenticated state. The switchport is configured as an access port with voice VLAN 10. What is the most likely cause of the failure?

A.Re-authenticate the phone using 'dot1x reauthenticate interface Gi1/0/1'
B.Configure 'authentication host-mode multi-domain' on the interface
C.Add 'switchport voice vlan 10' under the interface
D.Change the port to 'authentication port-control force-authorized'
AnswerB

This command allows the switch to authorize both data and voice domains separately on the same port, enabling the phone to receive the voice VLAN.

Why this answer

The correct answer is B because in a voice VLAN deployment with 802.1X, the switchport must be configured with 'authentication host-mode multi-domain' to allow both a data device (phone) and a voice device (PC behind the phone) to authenticate separately. Without this mode, the port defaults to single-host mode, which prevents the phone from receiving the voice VLAN and keeps it in an unauthenticated state.

Exam trap

The trap here is that candidates often assume the issue is a missing voice VLAN command or an authentication failure, but Cisco specifically tests the requirement for multi-domain host mode when voice VLAN is used with 802.1X.

Why the other options are wrong

A

Re-authentication forces the phone to re-authenticate, but the port remains in single-host mode, which only allows one authenticated device. The phone's data and voice domains are not separated, so the voice VLAN assignment still fails.

C

The voice VLAN is already configured with 'switchport voice vlan 10' as stated in the scenario. The issue is not the VLAN definition but the authentication domain separation; the phone remains unauthenticated because the port cannot assign the voice VLAN without proper multi-domain support.

D

Setting 'authentication port-control force-authorized' bypasses 802.1X authentication entirely, which defeats the purpose of port-based security. It would allow the phone to connect without authentication, but the voice VLAN assignment still requires proper domain handling; moreover, this is not a secure solution.

50
MCQhard

Exhibit: After a new switch was connected, the access-layer port went into err-disabled state immediately. Which feature most likely caused this?

A.Root Guard
B.UDLD aggressive
C.BPDU Guard
D.Storm control
AnswerC

Correct choice.

Why this answer

BPDU Guard is the most likely cause because it immediately places a PortFast-enabled port into the err-disabled state upon receiving any BPDU, which is exactly what happens when a new switch is connected to an access port meant for end devices. Root Guard does not err-disable a port; instead, it puts the port into a root-inconsistent state when a superior BPDU is received, preventing the port from becoming a root port but still allowing traffic. UDLD aggressive can cause err-disabled states, but it is specifically designed to detect unidirectional links on fiber connections and requires a delay or misconfiguration, making it less immediate than BPDU Guard in this scenario.

Storm control can err-disable a port if traffic exceeds thresholds, but this is not immediate upon connection unless a broadcast storm is already occurring, which is not indicated in the scenario.

Exam trap

Be cautious not to confuse BPDU Guard with other features that cause err-disabled states, like Port Security or UDLD, which are unrelated to BPDU receipt.

Why the other options are wrong

A

Root Guard does not cause a port to go into err-disabled state; instead, it places the port into a root-inconsistent state if a superior BPDU is received, blocking traffic but not disabling the port. The question describes an immediate err-disabled state, which is characteristic of BPDU Guard, not Root Guard.

B

UDLD aggressive mode does not immediately cause an err-disabled state upon connecting a new switch; it detects unidirectional links by sending probes and can put the port into err-disabled state only after a failure is detected, which takes time. The immediate err-disabled state suggests a feature that reacts instantly to BPDUs.

D

Storm control does not cause a port to go into err-disabled state by default; it typically drops traffic exceeding a threshold or can be configured to shut down the port, but the immediate err-disabled state upon connecting a new switch is not typical for storm control. The scenario points to a feature that reacts to BPDUs, not broadcast storms.

51
Multi-Selectmedium

Which two statements accurately describe Syslog in a Cisco network environment?

Select 2 answers
A.Syslog can send device event messages to a centralized logging server.
B.Syslog is primarily used to assign IP addresses to hosts.
C.Syslog messages become easier to correlate when device clocks are synchronized.
D.Syslog automatically prevents switching loops.
E.Syslog replaces the need for any monitoring system.
AnswersA, C

This is correct because centralized message collection is one of Syslog’s main purposes.

Why this answer

Syslog is used to centralize device event messages such as warnings, errors, and informational entries. In plain language, it gives administrators one place to review what devices are reporting rather than checking each device individually. This makes troubleshooting and incident review easier, especially in larger environments. Syslog does not replace time synchronization, but it becomes much more useful when paired with NTP so timestamps are consistent.

A common trap is to assume Syslog is a routing protocol or a DHCP-like service. It is neither. It is about event reporting and centralized logging.

Exam trap

A common exam trap is confusing Syslog with DHCP or STP functions. Some candidates mistakenly believe Syslog assigns IP addresses or prevents switching loops because these are common network management tasks. However, Syslog’s sole purpose is to report and log device events.

Misunderstanding this can lead to selecting incorrect answers that describe DHCP’s or STP’s roles. Another trap is overlooking the importance of synchronized clocks for meaningful log correlation, which can cause candidates to underestimate why consistent timestamps matter in Syslog environments.

Why the other options are wrong

B

This option is incorrect because Syslog does not assign IP addresses; DHCP is the protocol responsible for IP address allocation in Cisco networks.

D

This option is incorrect because Syslog does not prevent switching loops; this function is handled by Spanning Tree Protocol (STP).

E

This option is incorrect because Syslog complements but does not replace broader network monitoring systems that provide additional analysis and alerting capabilities.

52
MCQhard

A network administrator notices that a switchport in access mode with PortFast enabled has transitioned to an err-disabled state. What is the most likely cause?

A.BPDU Guard disabled the PortFast-enabled access port after it received a BPDU.
B.Port security shut down the port because the VLAN was wrong.
C.DHCP snooping disabled the interface because a host requested an address.
D.EtherChannel suspended the interface because the bundle was incomplete.
AnswerA

This is correct because the event message explicitly identifies a BPDU Guard violation.

Why this answer

The strongest reason is a BPDU Guard violation on a PortFast-enabled access port. In practical terms, the port was expected to face an end host, not a switching device that emits BPDUs. When BPDUs appeared, the switch treated that as a topology-policy violation and error-disabled the interface to protect the network.

This is one of the most classic access-layer protection patterns on the CCNA exam.

Exam trap

Be careful not to confuse BPDU Guard with other port security features or network issues like duplex mismatches.

Why the other options are wrong

B

Port security restricts access based on MAC addresses, not VLANs, and the event message explicitly mentions BPDU Guard, not port security. The exhibit shows a spanning-tree BPDU Guard error, not a port security violation.

C

DHCP snooping does not cause err-disabled state due to BPDU reception; it filters DHCP messages and can disable ports for DHCP attacks, but the exhibit clearly shows a spanning-tree BPDU Guard event.

D

EtherChannel suspension occurs due to configuration mismatches or link failures, not BPDU reception. The exhibit's syslog message explicitly identifies BPDU Guard, not EtherChannel issues.

53
Multi-Selectmedium

Which two statements accurately describe API authentication tokens? (Choose two.)

Select 2 answers
A.Tokens are often sent in an HTTP header such as Authorization
B.Tokens are always permanent and never expire
C.Tokens can be used instead of resending credentials on every request
D.Tokens require Telnet to be enabled on the device
E.A token changes JSON into XML automatically
AnswersA, C

That is a common REST API pattern.

Why this answer

APIs often use tokens so clients can authenticate without sending usernames and passwords in every call. Tokens are commonly time-limited and are usually placed where the API expects them, such as an HTTP header.

Exam trap

A frequent exam trap is selecting that tokens are permanent or require Telnet to function. Many candidates mistakenly believe tokens never expire, but in reality, tokens are often time-limited to improve security. Another trap is associating tokens with Telnet, which is unrelated to API authentication.

Additionally, some may incorrectly think tokens convert data formats like JSON to XML, which is false since tokens only handle authentication. Misunderstanding these points can lead to choosing incorrect options that seem plausible but do not align with Cisco’s API security practices.

Why the other options are wrong

B

Incorrect because tokens are usually time-limited and expire after a set period to enhance security, so they are not permanent credentials.

D

Incorrect because Telnet is unrelated to API token authentication; tokens do not depend on Telnet or any specific legacy protocol.

E

Incorrect because authentication tokens do not convert data formats; their sole purpose is to authenticate clients, not to transform JSON into XML or any other format.

54
MCQeasy

Which OSPF neighbor state indicates that the routers have already exchanged full link-state databases?

A.2-WAY
B.EXSTART
C.FULL
D.INIT
AnswerC

FULL indicates the neighbors are fully adjacent.

Why this answer

FULL means the adjacency is complete and database synchronization has finished. States such as INIT, 2-WAY, EXSTART, and EXCHANGE all occur earlier in the process.

Exam trap

A frequent exam trap is selecting the 2-WAY or EXSTART states as the answer because they represent important steps in OSPF neighbor formation. However, 2-WAY only confirms bidirectional hello packets without database exchange, and EXSTART is merely the negotiation phase for database synchronization. Choosing these states overlooks the fact that full link-state database exchange and adjacency completion only occur at the FULL state.

Misunderstanding this can lead to incorrect assumptions about OSPF neighbor readiness and routing stability.

Why the other options are wrong

A

The 2-WAY state confirms bidirectional communication between OSPF neighbors but does not indicate that the full link-state database has been exchanged. It is an intermediate step before full adjacency.

B

EXSTART is the initial phase of database exchange where routers negotiate master-slave roles and sequence numbers. It does not mean the databases are fully synchronized yet.

D

INIT state means a router has received a hello packet from a neighbor but has not confirmed bidirectional communication, so full database exchange has not started.

55
MCQeasy

Which data format uses key-value pairs and is commonly returned by REST APIs?

A.YANG
B.JSON
C.Syslog
D.CDP
AnswerB

JSON commonly represents API payloads.

Why this answer

JSON is a lightweight, human-readable data format that uses key-value pairs and is the most common format returned by REST APIs. YANG is a data modeling language used for configuration and state data, not a data format. Syslog is a logging protocol used for system messages.

CDP (Cisco Discovery Protocol) is a Layer 2 discovery protocol for Cisco devices. None of these are key-value pair data formats typically returned by REST APIs.

Exam trap

Be careful not to confuse JSON with XML or YAML, which have different structures and use cases.

Why the other options are wrong

A

YANG is a data modeling language, not a data format; it describes the structure of data but does not use key-value pairs for API responses.

C

Syslog is a protocol for logging system events, not a data format for REST API responses.

D

CDP is a Cisco proprietary discovery protocol for neighbor devices, irrelevant to data formats in REST APIs.

56
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an SSID on a WLC and complete a WPA3-Personal client association with DHCP address assignment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to first create the SSID profile, then configure WPA3-Personal security to ensure the WLAN is protected before it becomes active, then enable the SSID, set up the DHCP scope for address assignment, and finally allow the client to associate and obtain an IP address. Option A enables the SSID before setting security, exposing the network to unauthorized access during that window. Option B incorrectly starts with DHCP configuration before the SSID even exists.

Option D also enables the SSID before security, leading to the same vulnerability as option A. Only option C follows the secure configuration order recommended by Cisco.

Exam trap

A common mistake is enabling the WLAN before applying WPA3 security, but the recommended practice is to configure security first to prevent a temporary open SSID.

57
MCQhard

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

A.The ACL blocks all traffic because the first entry is a deny
B.The ACL blocks HTTP but allows ICMP
C.The ACL permits HTTP because line 20 overrides line 10
D.The ACL blocks ping because ICMP is not explicitly permitted
AnswerB

Correct. HTTP matches the deny, while ping is permitted by the later broad permit.

Why this answer

ACLs are processed top down. Line 10 denies TCP destination port 80, which blocks HTTP. Line 20 then permits all remaining IP traffic, including ICMP echo packets used by ping.

Exam trap

Remember that ACLs are processed sequentially; the first match dictates the action, not subsequent lines.

Why the other options are wrong

A

The ACL does not block all traffic; it only denies TCP traffic destined for port 80 (HTTP). Other traffic, including ICMP, is permitted by the subsequent 'permit ip any any' statement.

C

Line 20 does not override line 10 because ACLs use first-match logic. Once a packet matches line 10 (TCP port 80), it is denied and no further processing occurs. Line 20 only applies to packets that do not match earlier entries.

D

ICMP is not explicitly blocked; it is permitted by the 'permit ip any any' statement on line 20, which covers all IP protocols including ICMP. The user's ping works, confirming this.

58
PBQhard

You are connected to R1, a branch router that must synchronize time with the NTP server at 198.51.100.1 (reachable via G0/0) and send critical syslog messages (severity 0-4) to the logging server at 203.0.113.10. The current configuration has NTP pointing to a wrong server and syslog set to debug level, flooding the server. Correct the NTP server, set the NTP source interface to Loopback0 (10.10.10.1/32), and adjust the syslog trap level so that only emergencies through warnings are logged.

Hints

  • Remove the incorrect NTP server before adding the correct one.
  • Use the 'ntp source' command to specify the Loopback interface.
  • The logging trap level 'warnings' corresponds to severity 4.
A.ntp server 198.51.100.1 source Loopback0; logging trap warnings
B.ntp server 198.51.100.1 source G0/0; logging trap errors
C.ntp server 192.0.2.1 source Loopback0; logging trap warnings
D.ntp server 198.51.100.1 source Loopback0; logging trap debugging
AnswerA
solution
! R1
no ntp server 192.0.2.1
ntp server 198.51.100.1
ntp source Loopback0
no logging trap debugging
logging trap warnings

Why this answer

The NTP server was misconfigured to 192.0.2.1, which is unreachable, leaving the router at stratum 16. The correct NTP server is 198.51.100.1, so the ntp server command must be updated. The source interface should be Loopback0 for reachability consistency.

The syslog trap level was set to debugging (level 7), which sends all messages; it should be changed to warnings (level 4) to filter only severity 0-4. Verification includes checking NTP synchronization and syslog configuration.

Exam trap

Watch out for two separate configuration items: NTP and syslog. Ensure you update both the NTP server IP and source interface, and set the correct syslog trap level. Common traps include forgetting to change the NTP server IP, using the wrong source interface, or setting the wrong syslog severity level.

Why the other options are wrong

B

The source interface must be Loopback0 for consistency, and the trap level should be warnings (4) to include warnings.

C

The NTP server address must be updated to 198.51.100.1; 192.0.2.1 is the misconfigured server.

D

The trap level should be warnings (4), not debugging (7). Debugging sends all messages, flooding the server.

59
MCQmedium

Two switches are connected by an 802.1Q trunk. CDP reports a native VLAN mismatch. Which issue is most likely to appear because of this?

A.Untagged traffic may be placed into different VLANs on each switch.
B.All tagged traffic on the trunk is dropped immediately.
C.STP is disabled on the trunk link.
D.The trunk automatically converts to an access port.
AnswerA

That is the classic symptom of a native VLAN mismatch.

Why this answer

A native VLAN mismatch can cause untagged traffic sent on one side to be placed into a different VLAN on the other side. That leads to confusing connectivity issues and can also create security concerns. It does not automatically disable the trunk.

Exam trap

A common exam trap is to believe that a native VLAN mismatch causes the trunk link to shut down or block all traffic. In reality, only untagged traffic is affected, and tagged VLAN traffic continues to pass normally if allowed VLANs match. Another mistake is thinking the trunk automatically converts to an access port, which Cisco switches do not do.

Candidates may also overlook that STP remains enabled and functional despite the mismatch. Focusing only on trunk status without considering untagged traffic behavior leads to incorrect answers.

Why the other options are wrong

B

This is incorrect because tagged traffic on the trunk is not dropped due to a native VLAN mismatch; tagged frames continue to be forwarded normally if VLANs are allowed on both sides.

C

This option is wrong since a native VLAN mismatch does not disable Spanning Tree Protocol; STP continues to operate normally on the trunk link.

D

This is incorrect because Cisco switches do not automatically convert a trunk port to an access port due to a native VLAN mismatch; the trunk remains active.

60
Matchingmedium

Drag and drop the protocol/model on the left to the correct description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data modeling language used to define configuration and state data structures

Protocol using XML over SSH for configuration management and transactional operations

RESTful API using HTTP methods (GET, PUT, POST, DELETE) over HTTPS

Operation to modify configuration with options like merge, replace, create, delete

HTTP method used for partial updates to a resource

Why these pairings

YANG is a data modeling language used to define configuration and state data. NETCONF is an XML-based protocol over SSH that supports transactional configuration management. RESTCONF is a RESTful API over HTTPS that uses standard HTTP methods like GET, PUT, POST, DELETE.

NETCONF <edit-config> is an operation that modifies configuration with options like merge, replace, create, delete. RESTCONF PATCH is an HTTP method used for partial updates to a resource.

Exam trap

Do not confuse NETCONF and RESTCONF: NETCONF uses XML over SSH with a locked configuration datastore and replace operations, while RESTCONF uses HTTPS and standard HTTP methods, often with JSON encoding. Also remember that YANG is a modeling language, not a protocol.

61
PBQhard

You are connected to the console of a Catalyst 2960+ switch named SW2. Configure the switch so that the IP phone connected to interface FastEthernet0/5 receives power via PoE and uses VLAN 150 for voice traffic, while the PC connected through the phone uses VLAN 50 for data. Additionally, the access point connected to interface FastEthernet0/10 must receive PoE and be placed in VLAN 100. Assume the interfaces are already correctly configured as access ports in VLAN 50 and VLAN 100, respectively. Verify your configuration using the appropriate show commands.

Network Topology
Fa0/5Fa0/10SW2IP PhoneAccess Point

Hints

  • Use 'switchport voice vlan' to define the voice VLAN on an access port.
  • Enable PoE on a port with 'power inline auto'.
  • Verify voice VLAN with 'show interfaces switchport' and PoE with 'show power inline'.
A.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show interfaces switchport and show power inline.
B.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: switchport access vlan 100, power inline auto. Verify with show interfaces switchport and show power inline.
C.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show vlan and show power inline.
D.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show interfaces trunk and show power inline.
AnswerA
solution
! SW2
configure terminal
interface FastEthernet0/5
switchport voice vlan 150
power inline auto
interface FastEthernet0/10
power inline auto
end

Why this answer

The switch had no voice VLAN or PoE configured on the ports. On FastEthernet0/5, you need to add 'switchport voice vlan 150' to separate voice traffic from data, and 'power inline auto' to enable PoE for the IP phone. On FastEthernet0/10, you only need to enable PoE with 'power inline auto' because the AP already has its access VLAN set.

After configuration, 'show interfaces switchport' will confirm the voice VLAN, and 'show power inline' will verify PoE status.

Exam trap

Avoid adding unnecessary commands like setting the access VLAN on a port that already has it configured. Also, use the correct show command: show interfaces switchport for voice VLAN, not show vlan or show interfaces trunk.

Why the other options are wrong

B

The error is adding an unnecessary access VLAN command for the AP port, which is not required and could conflict with existing configuration.

C

The error is using show vlan instead of show interfaces switchport to verify voice VLAN on a port.

D

The error is using show interfaces trunk, which is for trunk ports, not for verifying voice VLAN on an access port.

62
MCQmedium

Why is version control useful for network automation scripts?

A.It automatically fixes coding mistakes
B.It tracks changes and supports rollback and review
C.It removes the need for API authentication
D.It replaces the device operating system
AnswerB

Correct. Tracking and rollback are the key benefits.

Why this answer

Version control provides change history, collaboration, and rollback options for scripts and infrastructure-as-code files.

Exam trap

A frequent exam trap is selecting options that imply version control automatically corrects coding mistakes or replaces device functions. Candidates might incorrectly believe version control fixes errors or removes the need for API authentication, but it only tracks changes and supports collaboration. Misunderstanding this leads to choosing options like 'It automatically fixes coding mistakes' or 'It removes the need for API authentication,' which are false.

Another trap is confusing version control with device software management, mistakenly thinking it replaces the device operating system. Recognizing that version control solely manages script versions and history prevents these errors.

Why the other options are wrong

A

Option A incorrectly claims version control automatically fixes coding mistakes. While version control tracks changes, it does not validate or correct errors in scripts, so this option is false.

C

Option C falsely suggests version control removes the need for API authentication. Authentication is a separate security process and is not affected by version control.

D

Option D incorrectly claims version control replaces the device operating system. Version control manages script versions only and does not interact with device OS software.

63
MCQhard

A route to 192.168.1.0/24 appears in the routing table from OSPF, but a more specific static route to 192.168.1.128/25 is also configured. Which route is used for traffic to 192.168.1.200?

A.The OSPF /24 route
B.The static /25 route
C.Both routes automatically load-balance
D.Neither route because the network overlaps
AnswerB

This is correct because 192.168.1.200 falls within 192.168.1.128/25.

Why this answer

The static /25 route is used because longest-prefix match prefers the most specific matching route. In plain language, even though the OSPF /24 route covers the destination, the /25 static route covers a narrower range and therefore wins for addresses inside that upper half of the subnet.

The router does not begin by asking which protocol is more trusted unless the prefix lengths are equal among the matching routes.

Exam trap

A common exam trap is assuming that the routing protocol with the lower administrative distance or higher trustworthiness automatically wins, regardless of prefix length. Candidates may incorrectly choose the OSPF /24 route because OSPF is a dynamic protocol and often trusted. However, the router always applies the longest-prefix match rule first, so the more specific static /25 route is preferred.

Overlapping routes are normal and do not cause routing conflicts; the router simply forwards packets based on the most specific match. Misunderstanding this can lead to selecting the wrong answer and missing the core routing principle tested here.

Why the other options are wrong

A

The OSPF /24 route is less specific than the static /25 route. Since longest-prefix match prefers the more specific route, the OSPF route is not used for 192.168.1.200.

C

Both routes do not automatically load-balance because they have different prefix lengths. Load balancing requires equal prefix length and equal cost routes, which is not the case here.

D

Neither route is incorrect because overlapping routes are common and resolved by longest-prefix match. The router uses the more specific static /25 route, so traffic is forwarded correctly.

64
MCQhard

A switch port connected to an edge host immediately transitions to forwarding and then later goes err-disabled after a BPDU is received. Which feature combination most likely produced this behavior?

A.PortFast with BPDU Guard
B.NetFlow with SNMP traps
C.OSPF passive-interface with EUI-64
D.WPA3 with CAPWAP
AnswerA

This is correct because PortFast speeds forwarding and BPDU Guard disables the edge port if a BPDU appears.

Why this answer

The most likely combination is PortFast with BPDU Guard. In practical terms, PortFast explains why the port moved quickly into forwarding when the host connected. BPDU Guard explains why the same port later shut down after seeing a BPDU that should not normally appear on an edge port.

This is a very common enterprise edge-port design pattern and a classic exam scenario.

Exam trap

Beware of confusing BPDU Guard with other protection mechanisms like Root Guard or Loop Guard; each serves a different purpose.

Why the other options are wrong

B

NetFlow is used for traffic monitoring and analysis, while SNMP traps are used for network management notifications. Neither feature affects STP behavior or port state transitions; they do not cause a port to go err-disabled upon receiving a BPDU.

C

OSPF passive-interface prevents OSPF from sending routing updates on an interface but does not affect STP or port security. EUI-64 is used for IPv6 address generation. Neither feature relates to BPDU handling or err-disable behavior.

D

WPA3 is a wireless security protocol, and CAPWAP is a control and provisioning protocol for wireless access points. These are entirely unrelated to wired switch port STP behavior and cannot cause a port to go err-disabled due to BPDU reception.

65
MCQhard

A host address is 172.31.9.200/27. Which address is the first usable host in that subnet?

A.172.31.9.193
B.172.31.9.192
C.172.31.9.223
D.172.31.9.201
AnswerA

This is correct because 172.31.9.192 is the network address and .193 is the first usable host.

Why this answer

A /27 subnet has a block size of 32. In practical terms, the relevant last-octet blocks are 0-31, 32-63, 64-95, 96-127, 128-159, 160-191, 192-223, and 224-255. Because 200 falls within the 192-223 block, the network address is 172.31.9.192 and the first usable host is 172.31.9.193.

This is a host-range interpretation problem rather than just network-or-broadcast recognition.

Exam trap

Be careful not to confuse the network address with the first usable host address.

Why the other options are wrong

B

172.31.9.192 is the network address of the subnet, which is reserved and cannot be assigned to any host. In IPv4, the network address is used to identify the subnet itself, not as a host address.

C

172.31.9.223 is the broadcast address of the subnet, which is reserved for sending traffic to all hosts in the subnet. It cannot be assigned to a host.

D

172.31.9.201 is a valid host address in the subnet, but it is not the first usable host. The first usable host is .193, which comes after the network address .192.

66
MCQmedium

Two switches are connected by an 802.1Q trunk. Hosts in VLAN 30 cannot communicate across the link, but VLAN 10 works. What is the most likely cause?

A.VLAN 30 is missing from the allowed VLAN list on SW2
B.VLAN 10 must be removed for VLAN 30 to pass
C.The trunk should use ISL instead of 802.1Q
D.The port on SW1 should be changed to access mode
AnswerA

SW2 is only allowing VLANs 10 and 20.

Why this answer

When one VLAN works across a trunk but another does not, the most likely cause is that the failing VLAN is missing from the allowed VLAN list on one or both switches. This is often confirmed by a 'show interfaces trunk' command. Option B is incorrect because removing VLAN 10 would break an already working VLAN and does not address VLAN 30.

Option C is incorrect because both ISL and 802.1Q carry multiple VLANs; the issue is not the encapsulation protocol. Option D is incorrect because changing a trunk port to access mode would disable the trunk entirely, preventing all VLAN traffic.

Exam trap

Beware of confusing native VLAN issues with allowed VLAN list configurations. Native VLAN problems affect untagged traffic, not specific VLANs.

Why the other options are wrong

B

Removing VLAN 10 from the allowed list would break an already functioning VLAN and would not fix VLAN 30.

C

Both ISL and 802.1Q support multiple VLANs; the problem is not the trunking protocol but the allowed VLAN list.

D

Changing a trunk port to access mode would terminate the trunk, preventing all VLAN traffic across the link.

67
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, including the use of nslookup and dig for diagnosis.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

DNS resolution starts with the client query, then recursive server lookups, authoritative response, caching and reply, and finally diagnostic tools like nslookup or dig to verify.

Exam trap

Do not confuse the order of DNS resolution steps. The client query always comes first, followed by recursive server queries, then authoritative response, then caching and reply, and finally diagnostic tools. Watch out for options that place diagnostic tools or authoritative responses before the client query.

68
MCQhard

A switchport connected to another switch should carry VLANs 10, 20, and 30. The interface is operational, but only VLAN 10 works. VLANs 20 and 30 fail. Which explanation is most likely if the port was accidentally configured as an access port in VLAN 10?

A.The interface is carrying only VLAN 10 because an access port does not transport multiple VLANs like a trunk.
B.VLAN 20 and 30 require different IP subnet masks on the switches.
C.Every inter-switch link must use a routed port instead of a trunk.
D.STP blocks all VLANs except VLAN 10 by design.
AnswerA

This is correct because an access-port misconfiguration explains why only the configured VLAN works.

Why this answer

The correct answer is A because an access port is limited to a single VLAN, so only VLAN 10 traverses the link. Option B is incorrect: IP subnet masks are irrelevant on switchports that operate at Layer 2. Option C is incorrect: inter-switch links typically use trunk ports, not routed ports.

Option D is incorrect: STP does not block based on VLAN IDs; it blocks redundant paths, not specific VLANs.

Exam trap

Be careful not to confuse access port limitations with trunk configuration issues. Always verify the port mode when troubleshooting VLAN connectivity.

Why the other options are wrong

B

IP subnet masks are Layer 3 concepts and do not affect Layer 2 VLAN propagation across a switchport. The issue here is purely Layer 2, related to the switchport mode (access vs. trunk), not IP addressing. VLANs 20 and 30 would still fail regardless of subnet mask configuration.

C

Routed ports are Layer 3 interfaces used for routing between networks, not for carrying multiple VLANs. The standard method for carrying multiple VLANs between switches is to use a trunk port, which tags frames with VLAN IDs. A routed port would not solve the issue and would break Layer 2 connectivity.

D

STP (Spanning Tree Protocol) prevents loops by blocking redundant paths, but it does not selectively block specific VLANs based on their VLAN ID. If STP were blocking VLANs 20 and 30, it would be due to a misconfiguration like PVST+ inconsistencies, not by design. The scenario describes a simple access port misconfiguration, not an STP issue.

69
MCQmedium

Two switches form an EtherChannel. One side is configured with LACP active. Which setting on the other side will successfully negotiate the bundle?

A.PAgP desirable
B.on
C.LACP passive
D.PAgP auto
AnswerC

Correct. Active plus passive will negotiate LACP.

Why this answer

LACP forms when at least one side is active and the other side is active or passive.

Exam trap

Remember that 'on' mode forces the channel without negotiation and LACP cannot form a channel with PAgP.

Why the other options are wrong

A

PAgP is a Cisco proprietary protocol and cannot negotiate with LACP. Even if one side is set to PAgP desirable, the LACP active side will not respond, resulting in no EtherChannel formation.

B

The 'on' mode creates a static EtherChannel without any negotiation. Since the LACP active side expects LACP PDUs to form the bundle, the static 'on' side will not send or respond to LACP messages, causing a mismatch.

D

PAgP auto is a passive PAgP mode that waits for a PAgP desirable partner. It cannot negotiate with LACP active because the protocols are incompatible.

70
MCQhard

An engineer is troubleshooting an OSPF adjacency issue between two Cisco routers, R1 and R2, connected via GigabitEthernet0/0 on both sides. Hosts on R1's LAN cannot ping hosts on R2's LAN. The engineer checks the OSPF neighbor state on R1 and sees the adjacency is stuck in EXSTART/EXCHANGE. The router IDs are 1.1.1.1 on R1 and 2.2.2.2 on R2, and both routers have a network statement for their directly connected subnet. What is the most likely cause of this problem?

A.The passive-interface default command is blocking OSPF Hellos on GigabitEthernet0/0.
B.There is an MTU mismatch between R1 and R2 on the GigabitEthernet0/0 interfaces.
C.The OSPF area configured on the interface does not match between R1 and R2.
D.The router IDs 1.1.1.1 and 2.2.2.2 are conflicting with each other.
AnswerB

An MTU mismatch causes OSPF DBD packets to be dropped, leading to the EXSTART/EXCHANGE state. Fixing the MTU on one side to match the other resolves the adjacency.

Why this answer

The EXSTART/EXCHANGE state indicates that OSPF neighbors have progressed past the 2-Way state and are attempting to exchange Database Description (DBD) packets. An MTU mismatch on the directly connected GigabitEthernet0/0 interfaces prevents successful DBD exchange because the interface with the smaller MTU drops the larger DBD packet, causing the adjacency to remain stuck in EXSTART/EXCHANGE. Options A and C are incorrect because passive-interface default and area mismatches prevent the adjacency from reaching EXSTART/EXCHANGE (they block Hello exchange), and option D is incorrect because conflicting router IDs would prevent adjacency formation entirely, not result in a stuck EXSTART/EXCHANGE state.

Exam trap

Cisco often tests the MTU mismatch scenario by presenting symptoms of a stuck adjacency in EXSTART/EXCHANGE, which candidates may confuse with other issues like mismatched areas or passive interfaces, but the key clue is the specific state where DBD exchange fails.

Why the other options are wrong

A

The passive-interface default command would block Hellos, preventing the adjacency from ever reaching the EXSTART/EXCHANGE state.

C

An OSPF area mismatch would cause Hellos to be ignored, so the adjacency would not progress past the Down or Init state.

D

Conflicting router IDs would prevent the routers from becoming neighbors at all, as OSPF requires unique router IDs within an area.

71
MCQmedium

A network operations team is implementing an AI-driven automation system that uses an agentic AI agent to handle routine network issues. The agent is configured to detect high CPU utilization on a core router, then automatically execute a series of diagnostic commands and, if a specific pattern is found, trigger a configuration change to reduce load. After the change, the agent re-checks CPU utilization and, if still high, escalates the issue to a human engineer. Which of the following best describes the workflow being used?

A.A static automation script that runs on a schedule without feedback
B.A closed-loop remediation workflow
C.A tool-calling mechanism for executing network commands
D.An AI agent that uses reinforcement learning to optimize network performance
AnswerB

The agent detects an issue, takes corrective action, verifies the outcome, and escalates if needed, which is the definition of a closed-loop workflow.

Why this answer

The scenario describes a closed-loop remediation workflow, where the AI agent detects an issue, takes action, verifies the result, and escalates if the problem persists. Tool-calling refers to the agent's ability to invoke specific functions (e.g., diagnostic commands, configuration changes), but the overall process is a closed loop. AI agents are the autonomous entities, but the workflow is the key concept.

Why the other options are wrong

A

This describes a static automation script that runs on a schedule without feedback, but the scenario involves an agent that detects an issue, takes action, re-checks, and escalates if needed, which is adaptive and not static.

C

Tool-calling is a component of the workflow (executing diagnostic commands and configuration changes), but the overall process includes detection, action, verification, and escalation, which is more than just calling tools.

D

Reinforcement learning involves continuous trial-and-error learning from rewards, but the scenario uses predefined diagnostics and actions, not learning from past outcomes to improve future decisions.

72
PBQhard

You are troubleshooting connectivity between R1 and R2. R1's Gi0/0 interface is connected to R2's Gi0/0. R1 can ping its own IP but cannot ping R2's IP. Examine the provided 'show interfaces' output on R1 and identify the root cause. Then, apply the necessary configuration command(s) on R1 to resolve the issue.

Network Topology
Gi0/0192.168.1.1/30Gi0/0192.168.1.2/30linkR1R2

Hints

  • The interface is up but line protocol is down—think Layer 2.
  • Check the duplex and speed settings; mismatch can cause this.
  • Ensure both ends have the same duplex setting; for GigabitEthernet, full-duplex is standard.
A.interface GigabitEthernet0/0 duplex full speed 1000
B.interface GigabitEthernet0/0 no shutdown
C.interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0
D.interface GigabitEthernet0/0 no keepalive
AnswerA
solution
! R1
interface gi0/0
duplex full

Why this answer

The 'line protocol is down' on R1's Gi0/0 interface indicates a Layer 2 issue. Since the interface is up but line protocol is down, the most common cause is a duplex mismatch or a keepalive issue. In this scenario, the interface is configured as 'full-duplex' but the far-end R2 might be set to half-duplex, causing a mismatch.

The fix is to set the duplex to 'full' and speed to 1000 on R1's interface, or to use 'auto' for both. However, the correct command to resolve a duplex mismatch is to set both sides to the same setting, typically 'full' for GigabitEthernet. The command 'duplex full' under the interface will ensure R1 uses full-duplex, and if R2 is also set to full-duplex, the line protocol should come up.

Exam trap

Do not confuse 'line protocol is down' with an interface being administratively down. The 'up/down' status points to a Layer 2 issue, often duplex mismatch. Always check duplex and speed settings first.

Why the other options are wrong

B

The specific factual error is that 'no shutdown' only brings an interface out of an administratively down state, but the problem here is a line protocol issue, not an administrative shutdown.

C

The specific factual error is that the IP address is already configured correctly; the problem is at Layer 2, not Layer 3.

D

The specific factual error is that keepalive settings are not typically the cause of a line protocol down on modern Ethernet interfaces; duplex mismatch is a more common cause.

73
MCQhard

Two switches should form an LACP EtherChannel. One side is configured passive, and the other side is also passive. What is the most likely result?

A.The EtherChannel is unlikely to form because neither side initiates LACP negotiation.
B.The EtherChannel always forms because passive mode is stronger than active mode.
C.The link becomes a routed port automatically.
D.Both switches delete the port-channel configuration.
AnswerA

This is correct because passive/passive normally does not start the LACP exchange.

Why this answer

If both sides are passive, the EtherChannel is unlikely to form because passive mode waits for the other side to initiate LACP negotiation. In plain language, both switches are listening, but neither is actively starting the conversation. Because neither side takes the active role, the bundle normally stays down or unformed unless one side is changed to active.

This is a classic LACP negotiation question. It reinforces the difference between valid pairings such as active/active or active/passive and the passive/passive pairing that usually fails to initiate negotiation.

Exam trap

Remember, passive mode waits for the other side to initiate. Ensure at least one side is active to form an EtherChannel.

Why the other options are wrong

B

Passive mode does not initiate LACP negotiation; it only responds to incoming LACP packets. Active mode is the one that actively sends LACP packets. Therefore, passive mode is not stronger than active mode.

C

LACP configuration does not change the interface type; it only bundles multiple physical links into a logical EtherChannel. The interface remains a Layer 2 or Layer 3 port based on its configuration, not a routed port automatically.

D

Passive mode does not cause the switch to delete the port-channel configuration. The configuration remains, but the EtherChannel will not come up because no LACP negotiation occurs.

74
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first exclude addresses to prevent the DHCP server from leasing reserved or gateway IPs, then create and configure the DHCP pool (network, default gateway), next enable DHCP relay on the required interface, and finally verify. Option D follows this Cisco best practice. Option A risks assigning excluded addresses because the pool is created before exclusions.

Options B and C place relay setup before the pool is fully configured, which is incorrect.

Exam trap

Candidates often mistakenly create the DHCP pool before excluding addresses, which can lead to the server leasing addresses intended to be reserved. Always configure exclusions first, then the pool, then relay, then verify.

75
PBQhard

You are connected to R1 via console. R1 and R2 are directly connected via GigabitEthernet0/0. Your task is to configure IPv4 and IPv6 addressing on both routers so that they can ping each other's IPv4 and IPv6 addresses. The current configuration has intentional faults: R1's IPv4 subnet mask is incorrect, R2 is missing its default gateway, and R1's IPv6 address uses EUI-64 but is not working due to a duplicate IP. Correct the IPv4 mask on R1, assign a static IPv6 address on R2, and ensure both routers can reach each other.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkR1R2

Hints

  • Check the subnet mask on R1's G0/0 — the link between two routers typically uses a /30 mask.
  • R2 has no IPv6 address configured — assign one manually.
  • R2 cannot reach R1's IPv4 address because they are on different subnets and R2 has no default gateway.
A.On R1, change the IPv4 mask to 255.255.255.252; on R2, assign IPv4 address 192.0.2.2/30 and IPv6 address 2001:db8:1::2/64; configure a default route on R2 pointing to 192.0.2.1.
B.On R1, change the IPv4 mask to 255.255.255.0; on R2, assign IPv4 address 192.0.2.2/24 and IPv6 address 2001:db8:1::2/64; no default route needed.
C.On R1, change the IPv4 mask to 255.255.255.252; on R2, assign IPv4 address 192.0.2.2/28 and IPv6 address 2001:db8:1::2/64; configure a default route on R2 pointing to 192.0.2.1.
D.On R1, change the IPv4 mask to 255.255.255.252; on R2, assign IPv4 address 192.0.2.2/30 and IPv6 address 2001:db8:1::1/64; configure a default route on R2 pointing to 192.0.2.1.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
end

! R2
configure terminal
interface GigabitEthernet0/0
ip address 192.0.2.2 255.255.255.252
ipv6 address 2001:db8:1::2/64
exit
ip route 0.0.0.0 0.0.0.0 192.0.2.1
end

Why this answer

R1's IPv4 mask was /28, but the correct mask for the link should be /30 to avoid overlapping subnets (192.0.2.0/28 includes both .1 and .14, but they are on the same link). R2 had no IPv6 address configured. Additionally, R1's EUI-64 address was valid but R2 needed a static IPv6 address.

The solution: on R1, change the mask to 255.255.255.252; on R2, assign an IPv4 address with mask /30 and a static IPv6 address 2001:db8:1::2/64; also add a default route on R2 pointing to 192.0.2.1 for IPv4. After these changes, both routers can ping each other's IPv4 and IPv6 addresses.

Exam trap

Watch out for subnet mask mismatches and duplicate IPv6 addresses. Always use /30 for point-to-point links and ensure each router has a unique IPv6 address on the same link.

Why the other options are wrong

B

The specific factual error: Using a /24 mask on a point-to-point link wastes addresses and may cause subnet overlap; also, R2 needs a default route to reach R1's IPv4 address if the mask is /30, but with /24 they are in the same subnet so no default route is needed, but the mask is still wrong.

C

The specific factual error: R2's IPv4 mask must match R1's mask to ensure both routers agree on the subnet boundary. Using /28 on R2 while R1 uses /30 creates a mismatch.

D

The specific factual error: Assigning the same IPv6 address to both routers causes a duplicate address conflict, preventing communication.

Page 1 of 25

Page 2